Threat modeling: A critical, yet underused, element of cybersecurity risk analysis

Threat modeling: A critical, yet underused, element of cybersecurity risk analysis

The staff at Motherboard recently updated its Guide to Not Getting Hacked to include more suggestions on how to avoid getting into digital hot water. Interestingly, threat modeling, a topic not often discussed, is brought up several times in the guide.

The Electronic Frontier Foundation (EFF) defines a threat model as (threat modeling is listed as a synonym of threat model):

“A way of narrowly thinking about the sorts of protection you want for your data. It’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible attacks you plan to protect against is called threat modeling. Once you have a threat model, you can conduct a risk analysis.”

Put simply, threat modeling is a way to evaluate whether a person or an organization is likely to be hacked.

SEE: Threat Modeling, book review: Know your enemy (ZDNet)

5 questions to consider when modeling threats

When modeling threats, the EFF advises that answering the following questions is a good place to start (the first question has been edited slightly).

  • What do I have that is worth protecting?

  • Who do I want to protect it from?

  • How likely is it that I will need to protect it?

  • How bad are the consequences if I fail?

  • How much trouble am I willing to go through to prevent these consequences?

Determining the type and extent of security measures is next—after who, what, and how have been worked out. The experts at EFF urge caution during this phase. Security is more than tools or software—it is an ongoing process using threat modeling to decide what is the right kind and right amount of security. On the EFF page about risk assessment: “In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it.”

SEE: Penetration Testing and Scanning Policy (Tech Pro Research)

Caution against overestimating and overreacting to perceived security threats

One might think if a little of something helps, then more is better—the guide’s authors suggest otherwise, as overestimating and overreacting to the perceived threat landscape can be a problem. This is especially true if the security department deploys unneeded custom systems or overly complex hardware and software, and the technology is used incorrectly.

From the guide: “At best, even simple tasks might take longer. In a worst-case scenario, you might be lulling yourself into a false sense of security with services and hardware that you don’t need, while overlooking what actually matters to you and the actual threats you might be facing.”

Why threat modeling is scant for mobile devices

Mobile-device technologies are immensely popular, and thus are fast becoming the target of choice for cybercriminals, and their success is evident, yet threat modeling is seldom employed to help fend off the bad guys.

“With everyone I’ve ever worked with outside of Microsoft, no one’s done it [mobile-device threat modeling] until we’ve done it with them and taught them how to do it,” states Michael Howard, senior principal cybersecurity architect at Microsoft, in Christopher Null’s TechBeacon article. Howard adds that the problem is exacerbated, because few if any threat models exist for mobile devices.

Howard adds, “Many people don’t model for threats because they don’t realize they can do it. Others mistakenly think they can wing it. Unfortunately, when you do it that way, 99 times out of 100 you get at least something wrong.”

SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)

In talking to Steve Manzuik, director of security research at Duo Security, Null believes another reason threat modeling is not used when determining how to best protect mobile devices is the intricacy of the process. “The complexity lies in the fact that a proper threat model relies on clear design documentation and a full understanding of how the application has been implemented,” says Manzuik. “In a fast-paced [mobile development] environment, this documentation—and even an understanding of the application—does not always exist.”

Threat modeling takes practice

The Motherboard guide suggests that we do not need to be experts when it comes to computer and network security, because the threats and the tools developed to address the threats are constantly changing. It is more important to start thinking about security risks and not be intimidated by the technology.

Null writes that threat modeling is a learned skill, adding, “The OWASP mobile security project threat model provides a great starting point, with an overview of best practices and methodologies such as STRIDE and DREAD.”

Also see hacker-security-istock-578833436.jpg

Image: Getty Images/iStockphoto


Middle Market CEO, CRO, CFO or Directors – Cyber Job Security Index

Why Cybersecurity Equals Job Security. Better manage your reputational and financial risk.

January 8, 2018 – Dallas, Texas and Atlanta, Georgia – Strategic enterprise risk management (ERM) expert and speaker Gary W. Patterson, FiscalDoctor®, points out that “It’s not if, but when, you’ll be attacked” in his article How Safe Is Your Business? Why Cybersecurity Equals Job Security for CEOs, CFOs and Others published by Corporate Compliance Insights (CCI)  at


  • Why CSuite jobs now are at risk and actually being lost.

  • How organizations, not unlike yours, are silently and invisibly breached every day

  • Which preventive steps you can implement.

Before you start spending any money for an external assessment of your cyber exposure, start with Three-Minute Self-Scoring Review to suggest your Cyber Job Security category and the article’s accompanying 5-step remedy.

Who should consider applying this process with applications for profitable growth, risk assessments and enterprise risk management (ERM) type issues, inside a value based operational and strategic assessment framework?

  • Family business, private and public business and equity group investors

  • Corporate directors, key committee chairs and board chairs

  • Corporate officers and C-suite executives

  • Shareholders, stakeholders, regulators and legislators

  • SMB, middle market and global 2000

About Corporate Compliance Insights

Corporate Compliance Insights is a professionally designed and managed forum dedicated to online discussion and analysis of corporate compliance, risk assessment, ethics, audit and corporate governance topics. Additionally, Corporate Compliance Insights is a focused knowledge-sharing forum designed to educate and encourage informed interaction within the corporate compliance community – dealing with issues of ethics, audit, compliance, FCPA, governance, risk, fraud and GRC.

Corporate Compliance Insights is founded by Maurice Gilbert, managing partner of Conselium, a compliance-focused executive search firm.

About Gary W. Patterson

Patterson, a Big 4 CPA / Stanford MBA, speaks regularly on business growth, accountability, facilitation, governance, risk management, achieving corporate financial goals, and building long-term wealth.

He can also help increase your profitability providing access to 100 best of business experts often better and cheaper than incumbents. Gary can be reached at 678-319-4739 or

© Gary W. Patterson.   ###

Gary W. Patterson

FiscalDoctor Inc.


Meet the 9 cyber security startups that showcased their innovative product ideas at AISS

NASSCOM’s Data Security Council of India (DSCI) chose 9 startups for the Most Innovative Product of the Year at the Annual Information Security Summit 2017 to provide impetus to budding security product companies.

The Indian industry is riding high on the wave of entrepreneurial traction in the domain of cyber security and security product development with over 50 security product companies emerging in the last few years.

Though currently at a nascent stage, these organisations are enjoying robust sales traction and moving forward with the concern of being recognised in the global world.

To provide impetus to the growth of the Indian cyber security market, NASSCOM’s Data Security Council of India (DSCI) is working towards contributing and building a favorable ecosystem for growth-led, sustainable business segments of security product and services companies in the country.

Many initiatives and activities have been undertaken by DSCI to encourage indigenous product development, providing a platform to startups to connect with the key stakeholders of the ecosystem.

One such initiative is the NASSCOM-DSCI Excellence Awards for Product companies, comprising two categories. The Security Product Company of the Year is for companies that have developed Information Security/Privacy product, while the Most Innovative Product of the Year (Innovation Box) is for  startups.

The competition comprised an evaluation process by an jury comprising Vishal Salvi, Chief Information Security Officer and SVP, Infosys; Shivkumar Pandey, Chief Information Security Officer, BSE; Sanjay Bahl, Director General, Cert-In; Venkat Vallabhaneni, General Partner, Parampara; and Bindu Dey, Secretary, Technology Development Board.

After jury evaluation along with live audience polling, Lucideus Technologies and Security Brigade were announced winners and AppsPicket occupied the runner-up spot at the Awards Night during the Annual Information Security Summit 2017.

The Lucideus Tech team receiving the excellence award

We take a closer look at the companies:

The winners & runner-up

Lucideus Technologies: Launched in 2012, Delhi-based Lucideus Technologies is a complete cyber security solutions provider that enables clients to secure web-based resources. They assist clients eliminate the risk of unauthorised access to key systems, files or databases by identifying vulnerabilities in web spaces. They also organise ethical hacking and web-security based workshops and seminars.

Security Brigade: Founded in 2006, Security Brigade is an information security consulting firm based out of Mumbai that specialises in delivering high quality services through expert-driven manual testing. It offers Penetration Testing, Vulnerability Assessment, Web-application Security and Source Code Security Audit. The company won the award for its flagship product – ShadowMap. Using internet-wide scanning, big data analysis & machine learning ShadowMap continuously identifies and maps an organisation’s Shadow IT and infrastructure.

AppsPicket: Launched in 2015, AppsPicket’s mission is to bring advanced cryptography to all businesses, whether small, medium or large. The startup, based out of Delhi and London, works in the Strong Authentication (2FA) and Cloud Security domain. It aims to use advanced cryptography to solve real-world security problems with its range of products, including Cryptopass, Developer SDK and Authportal. The brand’s next-generation Two Factor Authentication – I2FA – is making adoption of strong user authentication simpler and frictionless.

The other finalists

Adoroi Tech Ventures: Launched in 2006, this Mumbai-based venture helps companies increase their ROI on offline/online advertising, generate high quality leads, intelligent geo-call patching and routing, provides high security layers for existing financial processes and offers internet-less banking for the rural masses using its proprietary technology platform.

Block Armour: Harnessing the potential of Blockchain and emerging technology, Mumbai-based Block Armour, launched in 2016, aims to disrupt cybersecurity. Blending cybersecurity insights, IT security best practices and emerging technologies, Block Armour aims to provide a base for a new breed of identity management, data/information integrity, and IoT-related security solutions.

HaltDos: Launched in 2015, Noida-based HaltDos is an AI-driven website protection service that secures websites against cyber threats.  Its comprehensive offering provides DDoS protection, Web Application Firewall and Load Balancing features in a single solution and is available on the cloud as well as on-premise appliance.

Instasafe: Bengaluru-based InstaSafe is a cloud-based security solutions provider, that helps mobile and remote workers securely access enterprise apps, email and web on a SaaS model. Launched in 2012, InstaSafe offers hardware-free, zero configuration, self-service style, fully redundant Security-as-Service which can be deployed in minutes with comprehensive reporting.

Kratikal Tech: Launched in 2016, the Noida-based startup provides end-to-end cyber security solutions. It offers a complete suite of vulnerability assessment and penetration testing services as well as security auditings like PCI DSS, HIPAA, GDPR and ISO 27001. Kratikal Tech’s product People Risk Assessment (PRA) Engine claims to access the real-time threat posture of an organisation from a people point of view, reducing the cyber risk to up to 90 percent.

Primeauth: Hyderabad-based Primeauth provides easy, reliable, scalable and user friendly Two Factor (2FA), Multi Factor Authentication (MFA). It also specialises in areas of SSH (Secure Shell) authentication, Cloud, Identity & Access management, aimed at eliminating the need for expensive traditional hardware token or OTPs.

Promoting innovation in the cybersecurity space

DSCI’s objective is to act as a catalyst for startups working in the cybersecurity space to come up with more innovative product ideas and address real risks, build resilience, increase trustworthiness and create a conducive environment for businesses.

The initiative is an attempt to provide support to product companies in various aspects by bringing these new players nearer to established security leaders, innovators and other stakeholders on a common platform for idea sharing, guidance and collaboration.

employee security awareness training

How To Create A Winning Security Awareness Program

As phishing and malware attacks become more prevalent and sophisticated, midsize and large businesses must rely on employees to protect their data. But employees are busy. And security to them is often an afterthought.

If you’re serious about security — and you need to be — answering the right questions, following established guidelines and taking an unconventional approach to security can be a winning formula for mounting an effective defense.

While conducting security awareness training  might not seem worth the effort, a well-designed program can generate tremendous benefits.

Harnessing behavioral science, such programs use unconventional methods. Training posters may wind up in bathroom stalls, and tests may include baiting employees with phony phishing emails.

Strengthening The First Line Of Defense

Srinivas Vemula at the IT consulting firm SenecaGlobal has been advising clients on the importance of security awareness training for almost a decade. Although he has seen security awareness methods change over time, one thing has been constant: the need for a staff educated about security and the dangers of online threats.

“Security has always been one of those important topics that gets lost in other company priorities,” said Vemula, the company’s global product management lead. “Recent security breaches could have been prevented if the employees were aware of the current threats and topics. Many of your employees may not have the required knowledge to make informed decisions.”

Such shortfalls happen all too easily. After all, it’s only human to get caught up in one’s daily workload, relegating security to an afterthought, Vemula said.

Security Through Psychology

When trying to educate staff about security, unconventional methods of training may be the best course of action. Since security is generally considered to be boring, it’s important to follow a behavioral model of training in which a gentle nudging is applied. Having your employees get nudged to do the right thing is a significant trend in security awareness training, Vemula said.

One such method is to leverage software and/or network policies to offload some of the mental burden of having to remember security rules and practices. Using simple safeguards such as programming your systems to lock computers automatically, deploying software that blocks malicious links in an email or using a secure password management system can go a long way.

“A lot of these techniques don’t ask employees to follow any guidelines; the rules push the user to make the right decision and also decrease the number of decisions humans have to make,” Vemula said.

Those decisions, especially having to remember passwords, can be the bane of many users’ existence. Employees hate long passwords. They may hate having to change them even more. Vemula insists that when it comes to password management, a secure password manager that generates strong passwords and stores every password for each app or website works wonders.

If software isn’t for you, a phrase can serve much better as a “password” than a long string of alphanumeric characters.

“It takes a brute-force attacker exponentially longer to identify a phrase than hacking a particular word, even with numbers and characters,” Vemula said.

It Starts From The Top

Passwords aside, the most crucial ingredient to any security awareness program is buy-in from top-level executives. According to Vemula, a culture that incorporates an appreciation for security goes a long way toward employee engagement. Consequently, he encourages C-suite executives to assess risk and categorize threats before embarking on any awareness process.

One exercise that has yielded positive results is having executives get together and do a red team-blue team type of activity.

“It’s a game environment where one team says, ‘I’m going to do a DOS attack on the DNS server’ — and the other team needs to explain how they’ll defend against it,” he said. “These unconventional exercises will expose a company’s blind spots, and are a great part of any security awareness program.”

As 2018 looms, online threats are becoming more powerful and sophisticated. They are spreading faster and likely will be more costly to companies that are attacked. Every company, regardless of size, needs a plan to address what needs to be done if and when an attack occurs.

“There are lots of standard frameworks to get you started, as the government has done a good job in providing information,” Vemula said.

For example, the National Institute of Standards and Technology has a great framework with questions to ask and procedures to follow. Companies can use this framework to kick-start or improve their security programs, he said.

If you’re serious about security — and you need to be — answering the right questions, following established guidelines and taking an unconventional approach to security can be a winning formula for mounting an effective defense.

Are you a ‘cyberloafer’? Experts warn employees are spending over two hours a day slacking off online – and say it’s causing major security risks

  • 45% of employees questioned cited surfing the internet at work for personal purposes as the number one distraction at work

  • Research suggests employees each waste an average of 2.09 hours a day

  • Those who scored higher for internet addiction behaviour were also much more likely to have poorer awareness of and follow safety protocols


View comments

The biggest threat to an organisation’s cyber-security comes from within, according to a growing body of evidence.

Employees are frequently putting their companies at risk of hacking by sharing their passwords, using public WiFi networks to send sensitive information, or not protecting the privacy of social media accounts.

But there’s another threat that at first seems innocuous and that we’re all probably guilty of, something that researchers have dubbed ‘cyberloafing’.

A DeMontford University says that the rise of ‘cyberloafing’ is causing major security issues for firms as those who are browsing personal site are less likely to follow corporate security rules.


Early estimates from the new study suggested that 45% of employees questioned cited surfing the internet at work for personal purposes as the number one distraction at work.

This can have a big impact on a company’s productivity, with research suggesting that employees each waste an average of 2.09 hours a day while cyberloafing.

My research group’s new study shows this practice of using work computers for personal internet browsing can become a serious security threat to a company when it goes too far.

Most companies accept that their employees will occasionally check social media or send personal emails from work computers. But in some cases things can get more serious, with people people spending significant amounts of time updating their own websites, watching videos or even pornography.

Early estimates suggested that 45% of employees questioned cited surfing the internet at work for personal purposes as the number one distraction at work.

This can have a big impact on a company’s productivity, with research suggesting that employees each waste an average of 2.09 hours a day while cyberloafing.

But our new study also shows that the more employees engage in serious cyberloafing, the less likely they are to follow the rules and protocols designed to protect the company’s IT systems, and the bigger threat they become to cyber-security.

We asked 338 part-time and full-time workers aged 26-65 about their cyberloafing habits, their knowledge of information security, and behaviour that could indicate internet addiction.

Those who cyberloafed more often knew less about information security. And those who engaged in more serious cyberloafing (such as updating personal websites, visiting dating websites or downloading illegal files) had significantly poorer cyber-security awareness.

Typically, people undertaking more serious cyberloafing were less aware of how to stay safe online and how to protect sensitive information. One reason for this could be that they are so determined to get online they don’t want to pay attention to information about online safety and ignore the risks. On they other hand, they may believe their companies can protect themselves from anything that might happen as a result of risky behaviour.

Those in our survey who scored higher for internet addiction behaviour were also much more likely to have poorer awareness of and follow safety protocols.

And those who were serious cyberloafers and potential internet addicts were the greatest risk of all.

As I explain in my recent book Cybercognition, internet addiction is a compulsion to get online, sometimes with the aim of fuelling other addictions to digital activities such as online gambling or shopping. Critically, the drive to get online can be the same as any physical addiction, so the internet acts like a drug for some people.

In the study those who scored higher for internet addiction behaviour were also much more likely to have poorer awareness of and follow safety protocols.

This means people who show aspects of internet addiction may be more determined to get online at any costs and more likely to try to get around security protocols or ignore advice about online safety.

They may think they know better because they spend so much time online. Or they may not fully understand the risks because they are so absorbed in the online world.

All of this doesn’t mean we should cut off all internet access for employees. Being able to surf the internet is an important part of some people’s work. But excessive use of internet services and work IT systems can put companies at risk, particularly when people are accessing risky websites or downloading programmes from unknown sources.


There are a number of things companies can do to help mitigate the risks from excessive cyberloafing.

As we suggest in our study’s conclusion, some organisations may apply very strict penalties for serious rule breaking.

But providing effective training that empowers employees to identify aspects of internet abuse and seek help could be a more effective management tool.

Helping workers understand the risks of their actions might be more beneficial, particularly where these are communicated through focus groups and talks.

But one thing companies should avoid (and all too often don’t) is simply sending out an email reminder. Research shows that messages about the potential risks to information security sent via email are the least effective. And if you’re deep into a cyberloafing session, an email will be just another corporate message lost in an overloaded inbox.

Why Phishing Alone is Not Enough Awareness Training

Over the last several years, phishing simulations have become seen as the equivalent to security awareness training. The result is many organizations are only providing phishing simulation to their employees, and not security awareness training. This trend is a dangerous one, one that may actually lead to greater insecurity.

Why? Organizations are now focusing on only the single threat vector of phishing, admittedly a very serious one, but still one of many.

Cyber-criminals aren’t oblivious to this trend either. They know that leaves the door open for many other types of attacks, or exploitation of vulnerabilities, such as posting of sensitive data to the cloud, mobile device loss or theft, vulnerabilities in IoT-connected devices, social networking over-sharing and over-trusting, and the list goes on and on.

I’ve even heard one security vendor say that you only should do phishing simulation and training on one or two other topics, because that is all employees will remember. That’s good news for cyber-criminals because it leaves other doors open to them.

Why Phishing Simulations aren’t enoughA phishing simulation sends simulated, safe phishing messages to employees, then tracks who falls victim to the simulation. The goal is to help employees learn to identify phishing attacks, and to avoid clicking on phishing links, opening attachments, or falling for other phishing attacks like picking up a “lost” Flash drive and inserting it into their computer.

If an employee falls for a simulation attack, a well-designed phishing simulation service will direct the employee to targeted training related to that attack. All worthy goals. Phishing, no doubt, is one of the big threats today, and phishing simulation can be a pillar in a strong security awareness program.

Phishing simulations pale in comparison to robust security awareness training: a phishing simulation is targeted training for a single type of threat and is limited in what it can do; it makes assumptions that if employees don’t fall for the attack, they understand the risks. For those that do fall for the attack, it counts on a simple training message being enough for them to learn.

Furthermore, many organizations also face their most serious threats in areas that phishing doesn’t even address. For example, a primary concern of healthcare entities is the exposure of Protected Health Information (PHI). However, many PHI data breaches are the result of lost mobile devices, data posted to the cloud, or improper access. None of those are a result of phishing.

Training: A Negative or Positive ApproachPhishing simulations are often perceived by the targeted staff as a form of entrapment, with negative consequences if an employee falls for the trap. The tricked employee knows they failed the test and their failure will be reported to management. Adding insult to injury, the just-in-time training may feel more like a punishment, leading to resentment of training. Learning rarely accompanies resentment. Furthermore, once employees leave work and are no longer monitored, there is no incentive for behavior change.

Effective security awareness training is the opposite. Employees are drawn in to learn, and training is presented in a structure that both ensures participation and real learning. Training is fun, relevant and useful for employees both at work and home.

The need for effective security awareness training greater than everPhishing simulations are not a remedy for all problems and will not fix employees’ risky behaviors alone. According to Gartner in their report Innovative Insight for Anti-Phishing Behavior Management: “Anti-phishing behavior management solutions are not a tool for initiating cultural change. Assess your organizational culture first, and deploy anti-phishing as part of a comprehensive program of security behavior management and education.”

Effective security awareness training trains employees on the breadth of the threats they face daily, as well as the choices they must make, and the risks of their own insecure behavior. The key word here is “effective”. Too many organizations have turned from security awareness training to the quick fix of phishing simulation because they feel training failed to achieve the promise of changing behavior. Most often the failure lies in the specific program.

To be truly effective and change behavior, security awareness training must be as much about eLearning as it is security. First, present security in a way people can learn. Make training brief and frequent. Long-training sessions overwhelm trainees, going in one ear and out the other.

Likewise, sessions presented infrequently fail to reinforce learning. Brief and frequent training is something that effective security awareness training and phishing simulation programs can share in common, but the similarities end there.

Effective security awareness training also captures the employees’ interest and is engaging. Based on eLearning principles, training is designed around how people learn. Interactive training and gamification go a long way towards meeting these objectives. The result is people want to learn.

The Ideal SolutionThe need for effective security awareness training clearly is greater than ever due to the ever-increasing data breaches, security incidents, and constant introduction of new technologies and services. Phishing simulation can be a valuable tool in your security awareness platform, but it should always be seen as a supporting element.

Along with other supporting services like awareness materials and policy tracking. When implementing a phishing simulation service, you need to adopt as many eLearning principles as possible. Most importantly, make effective security awareness training the foundation of your security awareness program. This will truly drive behavior change and create a culture of security.

how to security scan iphone|iPhone fingerprint scanner

IPhone fingerprint scanner will start security revolution

How the iPhone fingerprint scanner worksHow the iPhone fingerprint scanner works Apple’s new iPhone 5S will be the first widely popular gadget to incorporate a fingerprint scanner as a security measure. It likely won’t be the last.

Security experts say fingerprint scanning is safer than typing in a password. Fingerprints are far more unique than passwords and harder to hack.

Fingerprint scanning is more convenient too: Your fingers are always with you — no more need to memorize dozens of different username and password combinations. And with Apple’s (AAPL) Touch ID system on the iPhone 5S, a user just has to touch the scanner on the home button, and the phone will automatically unlock.

Sure, fingerprint readers have been available on some previously released devices, including the Lenovo ThinkPad laptop and Motorola Atrix. And several companies have begun replacing security badges with iris scanners.

Related: New iPhones, hits and misses

But biometrics haven’t yet gone mainstream, because earlier attempts have been too expensive, too difficult to use or featured on products that few people bought. Trying to change that, Apple bought biometric company AuthenTec last year for $356 million.

New iPhone 5S with fingerprint security New iPhone 5S with fingerprint security

Apple’s combination of ease-of-use and more robust security is why Touch ID will help popularize fingerprint and other biometric scanners on consumer gadgets, according to Phillip Dunkelberger, president of tech security firm Nok Nok Labs.

“User experience will be much better,” said Dunkelberger. “It’s a very good first step for everybody trying to use biometrics.”

Apple’s Touch ID initiative could also be a big hit with companies that allow employees to bring their own devices to work. Enhancing security is a major issue for companies that are increasingly being targeted in cyberattacks.

Unlike four-digit pins, fingerprints can’t be guessed. And experts say Touch ID wouldn’t actually save an image of your entire fingerprint — just a jumbled, random code that is maybe 50 to 100 digits long, according to Joseph Lorenzo Hall, a senior staff technologist at the Center for Democracy & Technology. Plus, Apple says the information stays in a secured file that never leaves your phone.

“It’s like having a very, very long password,” Hall said.

But fingerprints do have flaws that the most desperate hackers could take advantage of: You can’t change your fingerprint, and all it takes to pull fingerprints from a surface is some Scotch tape. Also, fingerprint scanners aren’t made to be 100% accurate. To account for human variation — say, approaching the scanner from a slightly different angle — they need a certain tolerance for error.

That means it’s possible, albeit unlikely, that someone can replicate your fingerprint. So, like everything, it’s not a foolproof system.

Related: iPhones approved for China Mobile network

But security experts largely see Touch ID as a positive step that could take society a step closer to eliminating much more hack-prone PINs and passwords — and the worry that someone else is peeking over your shoulder, said Berin Szoka, head of the tech policy thinktank TechFreedom.

“The idea of a fingerprint scanner on your phone might seem creepy to some users, but it’s actually great news,” he said. “That … could make it easier for us to engage in sensitive transactions over mobile devices, like banking and government services.”

Scanning QR codes with iOS 11

Q: Do I still need a separate app to scan bar codes and QR codes with my iPhone?

A: Quick Response (QR) codes — those black-and-white square images often found on packaging — have been around for years and serve as shortcuts to websites with more information about the item. Some museums have used QR codes on gallery cards, and services like Snapchat and Spotify are among those using their own variation of the concept.

QR codes can still be scanned with a mobile device using a dedicated app, but if your iPhone is running OS 11 system (or later), Apple’s standard Camera app should be able to detect a quick-response code when the black-and-white square is visible in the picture frame. When the Camera app recognizes a QR code, it displays a message asking if you would like to open the site in your web browser.

If you have the mobile version of Google Chrome installed on your iPhone, you can also use it to scan bar codes and QR codes. To do so, open the Chrome app and tap the browser address bar. When the keyboard appears on the screen, tap the square Scan icon (to the right of the microphone icon) and point the camera at the code. When Chrome decodes the address, it takes you to the product’s webpage. (As a Home-screen shortcut on iPhones with the 3D Touch feature, press and hold the Chrome icon to see a pop-up menu with a Scan QR Code option.)

QR scanning for Android users varies by version and hardware maker, and several third-party apps are available in the Google Play store. In later versions of Android, you can point the camera at an object and press the home button to get more information about what is on your screen from the Google search software.

Step-by-Step Upgrade to Windows 10

Q: How do you upgrade from Windows 10 Home to Windows 10 Professional? Can you do it without having to reinstall everything on the computer?

A: Performing a “clean install” — where you copy all your data from the computer before reformatting the drive, installing a factory-fresh version of an operating system and copying your data back — can prevent many upgrade glitches. However, Microsoft allows you to upgrade your copy of Windows 10 Home to Windows 10 Professional directly by downloading the software from its online store. Before you upgrade, make sure your system is up-to-date and fully back up your computer.

Depending on where you got the version of Windows 10 currently running on your PC, you may have to pay an upgrade fee of $99. You will need to activate the new version with either a digital license or a digital entitlement (which is already installed on the PC from your original purchase) or by entering another 25-character Microsoft product key from the seller.

If you do not have a license or product key from your original system purchase, go to the Start menu and select the Settings icon. Choose Update & Security and on the next screen, select Activation. Tap or click the “Go to Store” link in the box to visit the Microsoft Store to buy and download Windows 10 Professional on your PC.

Unless you have a digital license stored on your computer, you need to pay for the upgrade. (If you do have a product key for the Pro version, select the Change Product Key option in the Activation box and type in the new code.)

Windows 10 Professional includes all the features of the Windows 10 Home but adds bonus features like automatic cloud storage for your Microsoft Office files and the ability to log into your computer remotely. For extra security, the professional edition also includes BitLocker, Microsoft’s tool for encrypting your computer’s hard drive.

How to Use Your iPad / iPhone Camera to Scan Documents to PDF [iPhone & iPad 2]


scan to pdfPicture this. You have a really important meeting at work today, one that you’ve been up most of the night preparing for, creating documents, spreadsheets, and what not. You’ve been tasked with making digital copies of your physical notes to send to your colleagues to help prep them for this meeting, which starts in about two hours. If you were in a hurry and could only bring one thing to this meeting, what would it be?

If it was me, it would be my iPad. As for the documents I had to scan, well, that’s all been taken care of, because I used an iPad app that allowed me to take pictures of each of my documents and turn them into shiny new digital PDFs that I can organize and share with my colleagues at the click of a button. Sound convenient? Prepare to never need to keep a piece of paper ever again.

What Is OfficeDrop?

OfficeDrop converts paper and digital files into text-searchable documents. You can safely share and access documents from anywhere, organize your documents using folders and labels, eliminate the need for paper by converting everything to digital, and find and share documents instantly with this app.

scan to pdf

You can digitize receipts, invoices, contracts, or anything else with your iPad/iPhone’s built-in camera, and you’ll always have your paper and digital documents with you when you’re on the move. If you know how to use a search engine then you can easily organize your documents with OfficeDrop.

scan documents to ipad

Scanning documents on your iPad just became available on OfficeDrop recently. Prior to this update, you would have had to mail in your physical documents if you wanted them scanned into digital form, or you would have had to use a scanner or upload the digital copy yourself. Now, you can create multi-page PDFs from your iPad.

scan documents to ipad

And with OfficeDrop, all of your converted paper and uploaded digital documents will be available for text searching, sharing, and organization on your device and on the web at the Officedrop website. You can also snap a picture, crop & rotate, and then send it directly from your phone in OfficeDrop, which is perfect if you’re at work or taking notes, etc.

To view OfficeDrop in action, check out this video demo:

Using OfficeDrop

Once you download and install the OfficeDrop app for iOS, you can begin digitizing your documents. The process is fairly simple. Just snap a picture with your iPhone/iPad camera and upload it to OfficeDrop. OfficeDrop will then convert your paper into text searchable PDFs.

scan to pdf

Once you’ve added a bunch of files, you can begin labeling and organizing them into folders so you can quickly find them later. You will also be able to search for them from within the app.

OfficeDrop also supports over 25 file types, so if you’re uploading digital files from your computer they too will be turned into searchable PDFs within the app.

You do need an account to use OfficeDrop, which is a simple process as well. The app will ask you to create one. There are multiple plans, but the free account grants you 1GB of searchable storage (more than enough for documents), the top 3 search results displayed (title and label your documents properly and this shouldn’t be an issue), web, mobile, and tablet access included.


OfficeDrop is a really handy app for when you’re on the go and want to scan notes to PDF so you’re not weighed down with paper to keep track of. I prefer to use it in conjunction with the iPad, but if you own both an iPhone and an iPad they can form a nice tandem. At any rate, this is a useful app that makes document scanning, organizing, and sharing both easy and practical.

What would your primary use for this app be?  Can you think of any apps which are worthy alternatives?

Are Retina/Iris Scanners The Next Level Of Mobile Security?

Are Retina/Iris Scanners The Next Level Of Mobile Security?


Rumors are swirling that the Samsung Galaxy Note 4 could have a retina or iris scanner built-in, allowing the user to unlock the phone just by looking at it. This sounds like something out of a science fiction movie, but as we’ve learned with the fingerprint scanner implementation in the iPhone 5S and Galaxy S5, these kinds of personalized locking mechanisms aren’t always perfect Touch ID Woes: Troubleshooting The iPhone 5S Fingerprint Scanner Touch ID Woes: Troubleshooting The iPhone 5S Fingerprint Scanner There’s no doubting that Apple’s iPhone 5S introduces one of the best implementations of fingerprint scanning, but it’s not been plain sailing for everyone. Read More .

So how is eye-scanning technology used right now, and when can we realistically expect it to be implemented in mobile devices? When it does arrive, will it be as secure and reliable as we need it to be? Let’s find out.

Retina Scanners Vs. Iris Scanners

First off, we need to differentiate between retina and iris scanners, as the terms are often used interchangeably, but are in fact very different processes.

Retina Scanner: How It Works

A retina scanner shoots an invisible infrared light into your eyeball and measures how much light is reflected back off your retina. Your retina is a thin layer of cells in the back of your eye that is made up of a complex network of blood vessels unique to only you. Since blood vessels reflect less light than the rest of the retina, the pattern of reflection in your eye from this infrared light is completely unique.


Pros And Cons Of Retina Scanning

Unfortunately, while your retina is generally unchanged for your entire life, certain diseases like diabetes, glaucoma, and other eye-related disorders can affect the structure of the retina. This means that if you rely on a device unlocking from a perfect image of your retina, and your retina changes due to a disease, you would be locked out of your device.

Retina scanning also involves a user getting very close to a device (within inches) and having a beam of infrared light shot into their eye. This makes it rather invasive and annoying to perform on a regular basis.

However, while it has many drawbacks as a use for smartphone unlocking, its medical applications are huge. While only certain diseases actually change the blood vessel structure of the retina enough to make it unidentifiable, many other diseases, including AIDS and malaria, can be detected by retina scanners. If a retina scanner was built-in to your phone, a weekly or monthly scan could keep you up-to-date on any diseases you may have caught and allow you to see a doctor before other symptoms arise.

Iris Scanner: How It Works

An iris scanner works much like a regular camera, except that after taking a picture (or short video) of your eye, it runs some serious calculations to measure the exact patterns in your iris. Your iris is the colorful part of your eye surrounding the black dot in the center called the pupil. Your “eye color” is really the color of your iris.

If you take a look closely in the mirror, you can see that your iris isn’t one solid color, but rather a complex structure of cells that is huge, magnificent, and best of all, entirely unique. The scanner can identify the unique patterns of the iris by shooting near-infrared light into the eyeball and determining the intricate structures of the iris from the light that returns.


Pros And Cons Of Iris Scanning

Iris scanning, for the most part, is considered the better of the two methods. It can be done from a greater distance, in some cases up to meters away from an individual, and is therefore less intrusive. It’s also less prone to changes due to disease, because a person’s iris generally stays the same for their entire life, except in cases of extreme injury to the eye. The iris, as a protected, unchanging, yet completely unique feature of the human body, is often seen as the best chance we have of ever perfectly identifying people.

Of course, because it works by taking a picture or short video of the iris, it is theoretically possible that an iris scanner could be fooled by a high quality image or a convincing reproduction of an eyeball. Some iris scanners, though, incorporate checks to ensure that the eyeball belongs to a live person. These kinds of checks can vary, and are still in production in many cases, but they range from shooting a burst of light to dilate the pupils, to judging the subtle facial movements around the eye over the course of a couple seconds. Many of these live checks offer less convenience, though, since a burst of bright light to the eye isn’t very fun, and recording a short video to judge facial movements takes too much time.

Because iris scanners are in many ways superior to retina scanners, it’s probably safe to assume that if scanners ever do make it into smartphones, they will be iris scanners.

Is It Secure?

Now the biggest concern many of you are going to have with this is your security and your privacy. If iris scanners do make their way into smartphones in the future, you can bet that there will be a huge hubbub over security and privacy concerns — just as there was when Apple announced their iPhone’s fingerprint scanner Does the iPhone 5S Fingerprint Scanner Increase The Chance of Theft? Does the iPhone 5S Fingerprint Scanner Increase The Chance of Theft? The iPhone’s new fingerprint sensor seems like a great way to use biometrics to keep the device secure and personal, but could the feature be used against the owner to circumvent existing protections? Read More .


And many of the questions remain the same. Users were worried that if Apple stored fingerprints in their databases, then organizations like the NSA could gain access to that and therefore have your fingerprint without your permission. Iris scanners pose the same problem: once your iris is scanned and that information is stored somewhere, it is possible that it could be stolen or snooped on by nefarious groups.


On the other hand, many people wondered if a severed finger could be used to unlock an iPhone, and that’s an even scarier prospect when you’re talking about iris scanning — nobody wants to have their eyeball gouged out after having their phone stolen. This concern boils down to how these scanners are implemented and whether or not smartphone manufacturers implement live person checks with their scanners. But since live checks often come at the cost of convenience, it’s unlikely we’ll see a perfect foolproof eye scanner hitting the market anytime soon.

In the mean time, passwords are still going to be one of the most secure and reliable forms of locking 7 Ways To Make Up Passwords That Are Both Secure & Memorable 7 Ways To Make Up Passwords That Are Both Secure & Memorable Having a different password for each service is a must in today’s online world, but there’s a terrible weakness to randomly generated passwords: it’s impossible to remember them all. But how can you possibly remember… Read More , although they aren’t the most convenient.

Current Implementations

Many government and corporate organizations use iris scanning as a secure means of restricting access to certain areas, and hundreds of airports around the world have implemented iris scanners as a form of identification even more secure than passports for easier travel. These kinds of scanners are large, expensive, and not at all suited for mobile. Below, you can see a picture of the scanners used in a Frankfurt airport in 2005.


Other times, mobile scanners, about the size of a big camera, can be used to quickly identify many people at once. In 2002, when Afghan refugees to Pakistan were being repatriated into their country, iris scanners were used to ensure that nobody was receiving multiple cash grants or more than their fair allowance of other assistance items. US Marines also used similar handheld iris scanners to identify members of the Baghdad City Council back in 2007, shown below.


In other cases, large multi-person iris scanners have been deployed as a security measure. In Leon, Mexico, scanners can identify up to 50 people per minute, even while they’re walking, and can help identify those who want to use an ATM, a hospital, or even ride a bus. That may seem a little futuristic and dystopic to some, but it was actually put into place four years ago in 2010. Privacy concerns aside, the technology behind that is amazing.

So far, consumer scanners are limited, although EyeLock is looking to change that. Their myris scanner plugs into your computer via USB and can replace all of your passwords. This isn’t quite at the level of being integrated into a smartphone, but it’s certainly getting there.

Can It Fit Inside A Smartphone?

Anthony Antolino, the Chief Marketing and Business Development Officer at EyeLock, expects to see iris scanners coming to computers and mobile devices in 2015. He says that while the technology has been around for a while, it is now finally becoming fast enough and easy enough to be used by the everyday consumer.


Modern scanners can work in an instant, even if users are walking or wearing glasses or contacts. The biggest problem might be fitting a high quality camera and a near-infrared light into a smartphone. Current front-facing shooters, like the 2MP cameras on most high-end Android phones and the 1.2MP camera on the iPhone 5S, simply aren’t high enough quality to view the iris well enough.

Additionally, smartphone manufacturers will need to find a way to squeeze in the near-infrared light and have it all operate fast enough that it isn’t noticeable for users or a significant drain on the phone’s resources.


Whether or not this comes as soon as the Galaxy Note 4 or iPhone 6 is yet to be seen, but it will almost certainly be coming at some point within the next few years.

Would You Use An Iris Scanner?

Iris scanning clearly has its strengths and weaknesses, but what it really comes down to is if people will use it in their mobile devices.

Would you use an iris scanner if it was built into your next smartphone? Is the convenience and security good enough to warrant it, or are you worried about the privacy aspect of having your iris scanned? Let us know in the comments.

Image Credit: browsing her smart phone Via Shutterstock, Iris scanner to unlock phone, Scan for security or identification, Video surveillance and privacy issues concept illustration, Eye macro, and Human eye anatomy from Shutterstock, Flickr/John Karakatsanis, Wikipedia/USMC Sergeant identifies Baghdaddi city council member with iris scanner.

eEye Retina Security Network Scanner Earns “Best Buy” from SC Magazine

eEye Retina Security Network Scanner Earns “Best Buy” from SC Magazine

IRVINE, Calif.–(BUSINESS WIRE)–eEye Digital Security (, a provider of integrated security and threat management solutions today announced that SC Magazine recently reviewed its Retina Network Security Scanner, giving it the highest possible rating of five out of a possible five stars in all categories. In its recent group test of vulnerability assessment products eEye’s Retina was awarded “Best Buy” honors, a distinction reserved for products that SC Magazine Lab rates as “outstanding”.

The May 2009 issue of SC Magazine established that eEye’s Retina Network Security Scanner is “a great value for the money for almost any size environment,” and “provides a lot of great functionality that is easy to use and manage, all at a reasonable price.”

The review stated that the Retina Network Security Scanner is “a quick and simple installation” as well as “comfortable and easy to navigate.” It also calls set-up and configuration of scans “simple and intuitive.”

SC Magazine gave Retina Network Security Scanner five stars in all six categories: Features, Ease of Use, Performance, Documentation, Support and Value for Money.

The Retina Network Security Scanner provides multi-platform vulnerability management. Retina identifies known and zero-day vulnerabilities and provides security risk assessment, enabling security best practices, policy enforcement, and compliance with regulatory audits SOX, HIPAA, GLBA and PCI. Retina is available in three versatile delivery forms including Software, Appliance or Hosted (on demand) versions which makes it especially unique and suitable for any environment.

“This report from SC Magazine shows us that our team has succeeded at delivering a product that exceeds expectations in categories across the board and is able to drastically raise the bar in network security,” said eEye CEO Kamal Arafeh. “We’re honored to have SC Magazine recognize our Network Security Product with such high regards.”

eEye Digital Security is a provider of integrated security and threat management solutions with an installed base of some 9,000 customers including over one-half of America’s largest corporations as listed on the Fortune 100.

To view the contents of the review please visit:

For more information on eEye threat management products please visit

About eEye Digital Security

eEye Digital Security is a leader in vulnerability management, endpoint security, anti-virus software and IT security research. The company’s advanced security solutions help technology professionals protect the networks and digital assets of more than 9,000 corporate and government organizations worldwide. Founded in 1998, eEye Digital Security is headquartered in Orange County, California. For more information, please visit

All trademarks contained within this press release are the sole property of their respective owners and are hereby acknowledged.

SecureWorks : Vulnerability Scanning vs. Penetration Testing

SecureWorks : Vulnerability Scanning vs. Penetration Testing

When people misunderstand the differences between penetration testing and vulnerability scans, they are often missing a vital component in their overall network security profile.

Vulnerability scans and vulnerability assessments search systems for known vulnerabilities. A penetration test attempts to actively exploit weaknesses in an environment. While a vulnerability scan can be automated, a penetration test requires various levels of expertise.

Regular vulnerability scanning is necessary for maintaining information security. Secureworks® incident response (IR) analysts have observed some clients performing vulnerability scans weekly and others not performing these vital scans at all. Secureworks analysts recommend scanning every new piece of equipment before it is deployed and at least quarterly afterwards. Any changes to the equipment should immediately be followed by another vulnerability scan. The scan will detect issues such as missing patches and outdated protocols, certificates, and services.

Organizations should maintain baseline reports on key equipment and should investigate changes in open ports or added services. A vulnerability scanner (e.g., Nessus, GFI LANGuard, Rapid7, Retina, Qualys) can alert network defenders when unauthorized changes are made to the environment. Reconciling detected changes against change-control records can help determine if the change was authorized or if there is a problem such as a malware infection or a staff member violating change-control policies.

Penetration testing is quite different, as it attempts to identify insecure business processes, lax security settings, or other weaknesses that a threat actor could exploit. Transmission of unencrypted passwords, password reuse, and forgotten databases storing valid user credentials are examples of issues that can be discovered by a penetration test. Penetration tests do not need to be conducted as often as vulnerability scans but should be repeated on a regular basis.

Penetration tests are best conducted by a third-party vendor rather than internal staff to provide an objective view of the network environment and avoid conflicts of interest. Various tools are used in a penetration test, but the effectiveness of this type of test relies on the tester. The tester should have a breadth and depth of experience in information technology, preferably in the organization’s area of business; an ability to think abstractly and attempt to anticipate threat actor behaviors; the focus to be thorough and comprehensive; and a willingness to show how and why an organization’s environment could be compromised.

A penetration test report should be short and to the point. It can have appendices listing specific details, but the main body of the report should focus on what data was compromised and how. To be useful for the customer, the report should describe the actual method of attack and exploit, the value of the exploited data, and recommendations for improving the organization’s security posture.

Table 1 lists the differences between vulnerability scans and penetration tests.

Vulnerability scan

Penetration test


At least quarterly, especially after new equipment is loaded or the network undergoes significant changes

Once or twice a year, as well as anytime the Internet-facing equipment undergoes significant changes


Provide a comprehensive baseline of what vulnerabilities exist and what changed since the last report

Concisely identify what data was compromised


Lists known software vulnerabilities that could be exploited

Discovers unknown and exploitable weaknesses in normal business processes

Performed by

Typically conducted by in-house staff using authenticated credentials; does not require a high skill level

Best to use an independent outside service and alternate between two or three; requires a great deal of skill


Low to moderate: about $1,200 per year plus staff time

High: about $10,000 to $15,000 per year


Detects when equipment could be compromised

Identifies and reduces weaknesses

Table 1. Comparison of vulnerability scans versus penetration tests.

Vulnerability scanning and penetration testing are both critical to a comprehensive security strategy. They are powerful tools to monitor and improve an organization’s network environment.

computer security news-SMALL BUSINESSES

Australian small businesses lag on computer security

SMALL BUSINESSES have embraced the internet but 16 per cent don’t use anti-virus software and 30 per cent don’t use a protective firewall, a new study shows.

That leaves them at risk from an extensive and increasing number of internet threats, the Australian Institute of Criminology (AIC) says.

Releasing the study for Safe Internet Day, Attorney General Nicola Roxon said most small businesses could not function without the internet.

“So it’s important small businesses can identify threats and can put in place measures to protect themselves and their customers,” she said.

Home Affairs Minister Jason Clare said small business accounted for around 95 per cent of all Australian businesses, contributing around 34 per cent of private industry value to the economy.

“Cyber attacks can stop a small business being productive and this can have wider economic implications for the country,” he said in a statement.

The survey – the Australian Business Assessment of Computer Use Security (ABACUS) – included 3290 small business respondents, with 14 per cent reporting one or more security incidents in the period 2006-07.

Seventy-five per cent of those who experienced security incidents reported adverse consequences including loss of data, unavailability of service and an average financial loss of $2431.

On top of traditional threats including viruses and malware, new threats are emerging.

The survey found that 84 per cent of businesses were using anti-virus software, 63 per cent were using anti-spam programs and 58 per cent were using anti-spyware tools.

But only 70 per cent of small businesses were using firewalls to protect their computer systems and only seven per cent had policies in place stipulating acceptable computer use by staff.

“The risks for businesses and their online customers are likely to change and potentially increase,” Report author AIC analyst Alice Hutchings said.

Petya ransomware: Experts tout ‘vaccine’ to protect computers from crippling cyber attack

Security experts say that a digital “vaccine” can protect individual computers from the crippling Petya ransomware.

Petya sparked mass disruption after it emerged Tuesday. Ukraine and Russia appeared hardest hit by the new strain of ransomware — malicious software that locks up computer files with all-but-unbreakable encryption and then demands a ransom for its release. In the U.S., the malware affected companies such as the drugmaker Merck and Mondelez International, the owner of food brands such as Oreo and Nabisco.

Cybereason security researcher Amit Serper found a way to prevent the ransomware affecting computers, according to the Bleeping Computer security news site, which notes that other experts agreed with his findings. Users can create a read-only file called ‘perfc’ in their C:/Windows folder to ‘vaccinate’ their computers and stop Petya.

Display nothing; This is on Publish with no configured Image

However, while this approach can stop the ransomware on individual computers, experts have not yet found a so-called “kill switch” that would completely stop the ransomware attack.


Petya’s pace appeared to slow as Tuesday wore on, in part because the malware appeared to require direct contact between computer networks, a factor that may have limited its spread in regions with fewer connections to Ukraine.

The malware’s origins remain unclear. Researchers picking the program apart found evidence its creators had borrowed from leaked U.S. National Security Agency code, raising the possibility that the digital havoc had spread using U.S. taxpayer-funded tools.

Symantec Security Response reported Tuesday that the latest round of ransomware is harnessing the same EternalBlue Windows exploit as the WannaCry ransomware that wreaked havoc across the globe last month.

Microsoft issued a patch for EternalBlue in March.


Experts say that Petya highlights the need for organizations to keep their systems up to date with the latest security measures.

“It’s alarming that we’re seeing another large-scale, global ransomware attack on the heels of the recent WannaCry incident,” said Varun Badhwar, CEO and co-founder of cloud security company, RedLock, in a statement emailed to Fox News. “Every company and consumer connected to the internet needs to immediately install the patch that Microsoft released back in March to fix the EternalBlue vulnerability that the new Petya ransomware attack is leveraging. For companies that forego implementing the latest security patches and updates, vulnerabilities like EternalBlue are ticking time bombs.”

“The recent attacks associated with WannaCry and Petya have re-enforced the lack of accountability and focus on basic IT and security fundamentals,” added James Carder, chief information security officer LogRhythm, in a statement emailed to Fox News. “Core IT operational competencies, such as patch management, backups, disaster recovery, and incident response are not well implemented or maintained.”

On Wednesday, the mysterious Shadow Brokers group also re-emerged to taunt the NSA. It’s a possible hint at the shadowy spy games being played behind the scenes of the cybersecurity crisis.


The Shadow Brokers, who have spent nearly a year publishing some of the American intelligence community’s most closely guarded secrets, posted a new message to the user-driven news service Steemit carrying new threats, a new money-making scheme and nudge-nudge references to the ransomware explosion that continues to cause disruption from Pennsylvania to Tasmania.

“Another global cyber attack is fitting end for first month of theshadowbrokers dump service,” the group said, referring to a subscription service which purportedly offers hackers early access to some of the digital NSA’s break-in tools. “There is much theshadowbrokers can be saying about this but what is point and having not already being said?”

The Associated Press contributed to this article.

Fingbox Helps You Monitor & Manage Devices on Your Network with Your iOS/Android Smartphone

Fingbox Helps You Monitor & Manage Devices on Your Network with Your iOS/Android Smartphone

Fing network scanner mobile app available for iOS and Android that allows you to discover which devices are connected to your Wi-Fi network, map devices, detect intruders, assess network security risks, troubleshoot network problems, and optimize wireless network performance.

But in order to go beyond network monitoring, the developers have designed Ubuntu Core based Fingbox hardware to add features such as access control (e.g. parental control), analyze the usage of bandwidth for each clients, find Wi-Fi sweet spots/ avoid black spots, verify your Internet speed, monitor devices in your network, and protects it with a digital fence that works against threats.

From a hardware perspective Fingbox is a round shaped Ethernet node with the following specifications:

  • Processor – ARMv7 processor

  • System Memory – 1GB RAM

  • Connectivity – Gigabit Ethernet

The Linux (Ubuntu Core) device just needs to be connected to your network via an Ethernet cable, and powered by its adapter. You’d then run Fing app on Android or iOS, which will automatically detect the Fingbox, and allow you to easily monitor and control devices on your home network. The best way to clearly understand what the device brings to the table is to watch the demo embedded below.

Fingbox was launched through an Indiegogo campaign, that ended up very successfully with 20,000 backers, and over @1.6 millions raised, but now you can purchased it directly from Amazon for $129 with shipping to US, UK, EU, and Canada, or Fing website for other countries.

When I think about it, I’m wondering why we don’t get such functionality from the router directly, as surely that’s something vendors could implement in the firmware, except possibly on the cheapest models due to storage and/or memory limitations, with no added hardware cost. Feel free to comment if you can already use your smartphone to monitor and manage other devices via your router, or is Fingbox the only workable solution right now?

Tweet Fing network scanner mobile app available for iOS and Android that allows you to discover which devices are connected to your Wi-Fi network, map devices, detect intruders, assess network…


GitHub’s new security scanner

GitHub just announced a new service called “security alerts for vulnerable dependencies.” It’s not the catchiest name ever, but it’s a new service from GitHub that is going to change how we build software. Again.

The very short description of the service is GitHub is launching a service for public repositories that will look at your software dependencies, then alert you if there is a security vulnerability in one of your dependent components. This is a huge deal as before now it was very difficult to figure this out. The only options were rather expensive services or manual inspection. Neither is an option for most open source projects.

From reading about the service they’re going to leverage existing CVE data to populate their scanner with security details. It’s a bit poetic that MITRE just moved the CVE data to GitHub.

As with most news, there are already some security people complaining about this new GitHub effort. Everything from it won’t catch all flaws, there will be false positives, the CVE data is incomplete, basically the fact that this won’t be a perfect solution. These complaints are technically correct, but they’re not helpful and will thankfully be ignored.

The thing GitHub seems to understand that much of the security universe doesn’t understand is that change doesn’t happen overnight, and it’s never perfect the first time. Real change takes time and many iterations. This lack of understanding is no doubt one of the reasons our current security track record isn’t very good. Perfect and nothing are functionally the same thing in the end.

The data GitHub is using will be out of date, it will contain mistakes, and it will be incomplete. It doesn’t matter though. They will march this project forward, it will get better, and it’s going to make a huge difference in how software is built. Someday we will wonder how we built software without this level of insight into our projects.

Now this topic of understanding your dependencies isn’t new. I’ve been talking about it for years. I generally start the conversation about this topic by saying “open source won”. That used to be a controversial statement. It’s not anymore. In fact, I’ve not had anyone question me in a few years about it. It’s pretty clear open source won.

However, just because open source won doesn’t mean it gets some sort of free pass. The reason it won is because it’s very easy to incorporate open source into your own projects and get a huge boost in productivity. But how you include open source into your projects can bring a certain level of risk with it.

If you include open source software in a project that contains security vulnerabilities, now your project contains security vulnerabilities. It’s not uncommon for one open source component to contain copies of other components, and those components contain other copies and its dependencies all the way down. These multiple layers of dependencies can get out of hand quickly. You might think you are adding one thing, but you’re really adding seven.

The missing piece in the open source dependency story has been finding a way to understand what’s in a product or project and if those components need updating. In a perfect world everyone would update components with every build, but this is far from a perfect world. Updating your open source dependencies generally takes time and effort so we can’t update things constantly.

If you’re not updating your dependencies constantly, do you know if one of those dependencies has an unfixed security vulnerability? This problem has been getting more and more attention over the past few years as the success of open source has been noticed. With the new attention some hard questions have also arrived. The single biggest revolves around understanding your third-party dependencies.

It will be very interesting to watch how this service evolves at GitHub. No doubt it will have some problems as all new things do. The CVE data will have to be expanded, there are many open source components that don’t even know what a CVE ID is today. These are all problems we can solve though. The future of security will always be unknown and turbulent, but in this one instance I have high hopes that things will get better.

Microsoft 365 helps businesses increase trust and innovation through compliance with Compliance Manager Preview

Microsoft 365 helps businesses increase trust and innovation through compliance with Compliance Manager Preview

Today’s post was written by Ron Markezich, corporate vice president for Microsoft.

The evolution of technology and cloud innovation are democratizing data and in turn fueling digital transformation. Embracing every facet of this digital transformation offers organizations an opportunity to better engage with customers, empower employees, and optimize the creation and delivery of products and services. However, with the increased use of personal data to customize user experiences, new compliance laws—such as the General Data Protection Regulation (GDPR)—are a logical policy component of our technology landscape. Microsoft 365 offers a complete cloud solution to help you with GDPR compliance, while Compliance Manager helps you assess and manage your compliance risk.

Compliance promotes innovation by building customer trust in technology

At its core, the GDPR strengthens personal privacy rights for individuals in the EU and requires organizations to provide individuals control over their personal data. To build and maintain the trust needed to manage customer relationships through technology, organizations need tighter controls over what personal data they hold and how they manage and protect this data. Systems and processes need to be modernized to prevent the unlawful use of data, accommodate personal data requests by individuals, and provide notifications of breaches in a timely manner.

Businesses are looking to the cloud for added value

Our research suggests that companies not only see the long-term value of building trust by protecting customer data, but in fact believe their investments in compliance will positively impact other areas of their business—like productivity and collaboration.* When IT decision makers in Europe and the U.S. were asked to identify their top concern in achieving GDPR compliance, “protecting customer data” was the #1 response while avoiding fines ranked #8. More than half of respondents said the GDPR brings added benefits like collaboration, productivity, and security. Cloud solutions like Microsoft 365 are a big reason that businesses see opportunity in compliance. Of those surveyed, 41 percent said they are likely to move more of their company’s infrastructure to the cloud to become compliant. And among leading cloud vendors, Microsoft was identified as most trusted by a wide margin (28 percent), followed by IBM (16 percent), Google (11 percent), and Amazon (10 percent). All told, 92 percent of IT decision makers in companies that store data primarily in the cloud identified as being confident in their GDPR readiness, compared with just 65 percent of those who prefer to store data on-premises.

Microsoft 365 is a complete cloud solution for GDPR compliance

The Microsoft Cloud is uniquely positioned to help you meet your GDPR compliance obligations, with the largest certified compliance portfolio, services architected to be secure by design, and the most extensive global datacenter footprint in the industry.

Our cloud solution is built for power, scale, and flexibility. Microsoft 365 brings together Office 365, Windows 10, and Enterprise Mobility + Security—offering a rich set of integrated solutions that leverage AI to help you assess and manage your compliance risk, protect your most important data, and streamline your processes.

Assess and manage your compliance risk with Compliance Manager Preview

Because achieving organizational compliance can be very challenging, understanding your compliance risk should be your first priority. Today, we’re making that easier with the preview of Compliance Manager.

Compliance Manager is a cross–Microsoft Cloud services solution designed to help organizations meet complex compliance obligations like the GDPR. It performs a real-time risk assessment that reflects your compliance posture against data protection regulations when using Microsoft Cloud services, along with recommended actions and step-by-step guidance. Learn more about Compliance Manager and how to access the preview.

Image of the Compliance Manager dashboard showing the Review Frameworks for Office 365, Azure and Dynamics 365.

Protect your most sensitive data

Beyond understanding your compliance risk, protecting both personal data and other sensitive content is key.

Microsoft information protection solutions provide an integrated classification, labeling, and protection experience, enabling more persistent governance and protection of sensitive data wherever it is—across devices, apps, cloud services, and on-premises.

For example, Office 365 Advanced Data Governance leverages machine assisted insights to help you automatically classify, set policies, and protect the data in Office 365 that is most important to your organization.

Image of the Office 365 Security & Compliance dashboard showing how to set policies.

Azure Information Protection scanner addresses hybrid and on-premises scenarios by allowing you to configure policies to automatically label and protect documents on a Windows Server file share. Read “Azure Information Protection scanner in public preview” to learn more about the scanner.

Microsoft also provides external threat protection solutions to prevent and detect cyber-attacks across workloads—whether on devices using Windows 10, on-premises and Azure-based infrastructure, or with our cloud services like Office 365.

One of these solutions, Windows Defender Advanced Threat Protection, is built into Windows 10 and helps spot most advanced targeted attacks by giving visibility into threats on your device, insights into the scope of the threat, and one-click response capabilities to isolate the threat immediately.

Image of the Windows Defender Advanced Threat Protection dashboard showing security alerts on a machine.

Streamline your processes

The GDPR requires organizations to be able to identify and locate personal data. Having a scalable investigation and audit-ready processes in place to meet requirements is paramount.

Content Search, a feature of Office 365 eDiscovery, makes it easy to search Office 365 for data related to individuals. Since the results of this search could result in large quantities of data or data that is confidential to the organization, machine learning in Advanced eDiscovery can be used to minimize the data so that you are only providing the relevant data in accordance with the GDPR.

Finally, Customer Lockbox provides an audit trail showing when personal data is accessed during service operations.

Get started today on your GDPR journey with Microsoft

No matter where you are in your GDPR efforts, the Microsoft Cloud and our intelligent compliance solutions in Microsoft 365 can help you on your journey to GDPR compliance.

—Ron Markezich

*Online survey conducted by YouGov PLC between 10/31/2017 and 11/8/2017. Sample size: 1,542 IT decision makers.

RDPY – RDP Security Tool For Hacking Remote Desktop Protocol

RDPY – RDP Security Tool For Hacking Remote Desktop Protocol

RDPY is an RDP Security Tool in Twisted Python with RDP Man in the Middle proxy support which can record sessions and Honeypot functionality.

RDPY - RDP Security Tool For Hacking Remote Desktop Protocol

RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side). RDPY is built over the event driven network engine Twisted. RDPY support standard RDP security layer, RDP over SSL and NLA authentication (through ntlmv2 authentication protocol).

RDPY RDP Security Tool Features

RDPY provides the following RDP and VNC binaries:

  • RDP Man In The Middle proxy which record session

  • RDP Honeypot

  • RDP Screenshoter

  • RDP Client

  • VNC Client

  • VNC Screenshoter

  • RSS Player

RDPY is fully implemented in python, except the bitmap decompression algorithm which is implemented in C for performance purposes.

RDPY Hacking RDP Binaries rdpy-rdpclient

rdpy-rdpclient is a simple RDP Qt4 client.

$ [-u username] [-p password] [-d domain] [-r rss_ouput_file] […] XXX.XXX.XXX.XXX[:3389]


$ [-u username] [-p password] [-d domain] [-r rss_ouput_file] […] XXX.XXX.XXX.XXX[:3389]

You can use rdpy-rdpclient in a Recorder Session Scenario, used in rdpy-rdphoneypot.


rdpy-vncclient is a simple VNC Qt4 client.

$ [-p password] XXX.XXX.XXX.XXX[:5900]


$ [-p password] XXX.XXX.XXX.XXX[:5900]


rdpy-rdpscreenshot saves login screen in file.

$ [-w width] [-l height] [-o output_file_path] XXX.XXX.XXX.XXX[:3389]


$ [-w width] [-l height] [-o output_file_path] XXX.XXX.XXX.XXX[:3389]


rdpy-vncscreenshot saves the first screen update in file.

$ [-p password] [-o output_file_path] XXX.XXX.XXX.XXX[:5900]


$ [-p password] [-o output_file_path] XXX.XXX.XXX.XXX[:5900]


rdpy-rdpmitm is a RDP proxy allows you to do a Man In The Middle attack on RDP protocol. Record Session Scenario into rss file which can be replayed by rdpy-rssplayer.

$ -o output_dir [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] [-r (for XP or server 2003 client)] target_host[:target_port]


$ -o output_dir [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] [-r (for XP or server 2003 client)] target_host[:target_port]

Output directory is used to save the rss file with following format (YYYYMMDDHHMMSS_ip_index.rss) The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer If one of both parameters are omitted, the server use standard RDP as security layer.


rdpy-rdphoneypot is an RDP honey Pot. Use Recorded Session Scenario to replay scenario through RDP Protocol.

$ [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] rss_file_path_1 … rss_file_path_N


$ [-l listen_port] [-k private_key_file_path] [-c certificate_file_path] rss_file_path_1 … rss_file_path_N

The private key file and the certificate file are classic cryptographic files for SSL connections. The RDP protocol can negotiate its own security layer. If one of both parameters are omitted, the server use standard RDP as security layer. You can specify more than one files to match more common screen size.


rdpy-rssplayer is use to replay Record Session Scenario (rss) files generates by either rdpy-rdpmitm or rdpy-rdpclient binaries.

$ rss_file_path


$ rss_file_path

There’s also another related tool which can extract RDP sessions:

– SessionGopher – Session Extraction Tool

And there is of course Seth – RDP Man In The Middle Attack Tool.

You can download RDPY here:

Or read more here.


How run Scans without PC going to sleep

This has been bugging me.

When I run a long scan of say Malwarebytes Custom Scan or Microsoft Safety Scanner after a certain amount of time, my PC goes to sleep. And of course the scan stops until I move the mouse to wake it and the scan re-starts.Some of these scans take many many hours to complete because of this sleep/wake/sleep cycle.

I don’t really want to touch my sleep / power settings each time I run a scan?

So how do you guys handle this? I would love to be able to run these longer scans when I go to bed and wakeup to a completed scan.