April, 2016:

 This USA Today article shares dangers of impersonation attacks actively circulating:

http://www.usatoday.com/story/tech/columnist/2016/04/30/dont-become-victim-facebook-impostor/83726928/

Last week a hairstylist in Los Angeles, took a break and (of course) checked his phone. He discovered a flood of messages, all from alarmed friends telling him the same thing: “You need to report this man in Greece. He’s pretending to be you.”

Roman quickly found the link on Facebook to report the impostor, and set the wheels in motion to shut down the fake account. He also asked his friends to follow the same steps, which many did. But Roman awoke to a surprise the next morning: the impostor had reported him as the fake, and the real Roman had been locked out of his own page.

Here’s how the message from Facebook began:“Your account has been disabled for pretending to be someone else, which goes against the Facebook Community Standards.” Roman had no access to his account for several days, telling me he couldn’t exchange messages with his 70-year-old mother in New Jersey and his “friends from all around the world, my whole family, my godson in Cuba, my goddaughter.”

Several office products have been implemented as noted in attached post

http://www.zdnet.com/pictures/10-must-have-microsoft-apps-for-your-android-phone/

One of the most prolific developers of business-focused apps in the Google Play Store for Android is, surprise, Microsoft. In the past year, Redmond has shipped new apps for the entire Office suite, OneDrive, Microsoft Intune, and Dynamics CRM. Not to mention a smattering of interesting utilities designed to make the Android experience better. Here are 10 of my favorites …

An interesting detailed documentation of user experiences during 1st year of this innovative device:

http://mashable.com/2016/04/30/apple-watch-year-one/#uGM61qhkGgq2

This week was the official one-year anniversary of the Apple Watch. I’ve owned one for almost all of that time, and — like many tech journalists and gadget commentators — I believe it’s worth reflecting on what the Apple Watch has meant to the tech world, the wearables category, and Apple.  I didn’t actually get my Apple Watch until May 5. The reasons for that 11-day delay have to do with poor band choices and a a big chunk of FOMO, but 51 weeks is still enough time to write a reflective analysis.

As shared below further improvements for email privacy appear to be forthcoming in future:

http://thenextweb.com/insider/2016/04/29/email-bill-passing-congress-is-a-great-start-but-its-still-not-enough/

https://www.law.cornell.edu/uscode/text/18/part-I/chapter-121

We’re one step closer to email being treated as private communication, a distinction that would require government entities acquire a search warrant to read emails — even those older than 180 days.  The 180 day mark is currently the point where the federal government insists that email is “abandoned” on servers and, more or less, the digital equivalent of grabbing something out of a public garbage can. Of course, the rest of us live with the knowledge that archived email is no more abandoned than images you might store on a hard drive, or in the cloud.

With yesterday’s approval, the SCA’s predecessor — the Email Privacy Act (EPA) — is a step closer to becoming reality. Prior to yesterday, I had some concerns. Now, with a unanimous 419-0 vote in the House — the very place the bill typically died —  I feel relatively confident that the bill has legs.

Around July 2016, Windows 10 is slated for another major build and evaluation of preview version is shared below:

http://www.computerworld.com/article/3061153/microsoft-windows/first-look-the-new-windows-10-anniversary-update-preview.html

The first big update to Windows 10 will come this summer, a year after the operating system’s initial launch, with the release of what Microsoft is calling the Windows 10 Anniversary Update. The update’s exact release date hasn’t been set yet. Windows 10 was officially released on July 29, 2015 — but that doesn’t mean that the Anniversary Update will hit on the exact date.

When it is ready, the update will be delivered — as usual — via Windows Update. That means you won’t have to do anything manually — it will install automatically on its own. But you don’t have to wait until the official release date to install and use the update. Microsoft is releasing preview builds well before then — including one that you can install today.

As of this writing, the latest update is Windows 10 Insider Preview Build 14328. What follows includes information about features that Microsoft has announced will be in the final as well as features that are implemented in some way in the most recent build. Although the update is being called the Windows Anniversary Update, don’t expect many big presents. While there are some very solid and useful additions, this isn’t a big-bang change to the operating system.

As shared in article below requests from Government entities have increased during past year:

http://www.pcmag.com/news/344131/report-government-requests-for-facebook-data-on-the-rise

More than half of the requests for data that Facebook received from US law enforcement agencies in the second half of 2015 contained a non-disclosure order that prohibited the company from notifying the user whose data was requested, according to a report released today.  Facebook’s bi-annual report on global government data requests indicated that there were 19,235 requests in the US during from July to December 2015, up from 17,500 in the first half of the year. The company handed over data in 81 percent of cases.

Worldwide, government requests for account data increased by 13 percent, from 41,214 requests to 46,763. The number of items on the social network restricted for violating local law saw an even more dramatic jump, to 55,827 items, up from 20,568.  There were also up to 499 secret requests made for data under the Foreign Intelligence Surveillance Act (FISA).

In a blog post, Facebook’s Deputy General Counsel Chris Sonderby wrote that it does not provide any law enforcement agency access to data unless it determines the request to be legitimate.  “We scrutinize each request for user data we receive for legal sufficiency, no matter which country is making the request,” Sonderby wrote. “If a request appears to be deficient or overly broad, we push back hard and will fight in court, if necessary.”

Within Windows 10, the Cortana search box will be standardize on use of Edge and Bing standards for a consistant and more secure user experience.  Other search and browser standards will continue to be supported outside of Cortana 

https://blogs.windows.com/windowsexperience/2016/04/28/delivering-personalized-search-experiences-in-windows-10-through-cortana/

With Windows 10, we have invested in delivering comprehensive, end-to-end search capabilities that make Windows more personal, intuitive and helpful. The Cortana search box, in the bottom left of the Windows 10 taskbar, allows you to easily search across apps, documents, settings and the Web all with the help of your truly personal digital assistant.

Unfortunately, as Windows 10 has grown in adoption and usage, we have seen some software programs circumvent the design of Windows 10 and redirect you to search providers that were not designed to work with Cortana. The result is a compromised experience that is less reliable and predictable. The continuity of these types of task completion scenarios is disrupted if Cortana can’t depend on Bing as the search provider and Microsoft Edge as the browser. The only way we can confidently deliver this personalized, end-to-end search experience is through the integration of Cortana, Microsoft Edge and Bing – all designed to do more for you.

Of course, you can continue to use your search engine and browser of choice on Windows 10.  They can be accessed and used as you always have.  You can easily use our centralized default manager to choose your preferred default program for everything from browsing to email, and you can configure the search default setting in Microsoft Edge and Internet Explorer, which are available when you directly access those programs.

An informative security bulletin for April 2016 has been issued by FBI documenting the increasing number of corporate and home ransomware attacks

https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.  The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.

And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.  Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. The FBI has developed a brochure of safety and risk mitigation tips for the growing threat of ransomware.

https://www.fbi.gov/about-us/investigate/cyber/ransomware-brochure

The FBI has developed a brochure of safety and risk mitigation tips for the growing threat of ransomware.

https://www.fbi.gov/about-us/investigate/cyber/ransomware-brochure

Prevention Considerations

* Implement an awareness and training program. Because end users are targeted, employees and individuals should be made aware of the threat of ransomware and how it is delivered.

* Patch operating systems, software, and firmware on devices, which may be made easier through a centralized patch management system.

* Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.

* Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary.

* Configure access controls, including file, directory, and network share permissions, with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.

* Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.

* Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers

Business Continuity Considerations

* Back up data regularly, and regularly verify the integrity of those backups.

* Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing offline.

Other Considerations

* Implement application whitelisting; only allow systems to execute programs known and permitted by security policy.

* Execute operating system environments or specific programs in a virtualized environment.

* Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units.

The PCI/DSS 3.2 release are designed to improve point-of-sale and e-commerce standards.  This new version will require moving away from older and less secure TCP/IP networking protocols by June 2016.  Full compliance with 3.2 standards are set for June 2018.

https://isc.sans.edu/forums/diary/New+release+of+PCI+DSS+version+32+is+available/21003/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf

A new version of the standard was released today, version 3.2. There are a number of changes that will affect those that need to comply with the standard, especially for service providers.  For service providers struggling to move customers away from SSL and weak TLS there is some good news.  The deadline for this requirement has been moved to June 30 2018.  Service providers will however be required to have a secure environment (i.e. accepting TLS v1.2 or v1.1) by June 30 2016 (yes two months). This shouldn’t be to onerous as most service providers will already have this in place.

There are a few new requirements in the standard. The majority of these only apply to service providers and relate to ensuring that processes are followed throughout the year rather than a once a year effort.  A number of these are also quarterly requirements.  They include:

* 3.5.1 – Maintain a documented description of the cryptographic architecture.
* 11.3.4.1 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
* 12.4 – Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.
* 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.