Category: Feature

A new report from Sophos says that since its first appearance in December 2015, the SamSam ransomware has raked in almost $6 million by targeting organisations and individuals around the world, including those in India. According to the 47-page report, 74 percent of the known victims are based in the United States. Other regions known to have suffered attacks include Canada, the U.K. and the Middle East, with India ranking sixth among the top victim countries across the world. The cybersecurity firm also revealed in a separate survey that 90 percent of the businesses in India have been either hit or expected to be hit by ransomware, and it’s expecting that Indian business will see an increase in cyber attacks in the near future, and SamSam ransomware could be one of them. One is not like the others Different from the traditional ransomware attacks, SamSam’s thorough encryption renders not only personal and work data files unusable but also any program nonessential to Windows operation, most of which are not routinely backed up. Unlike nearly all other ransomware attacks, much of the attack process is manual. Once inside a system, the attacker spread a payload laterally across the network; a sleeper cell awaits instructions to begin encrypting. The result of SamSam attacks is often that numerous victims are unable to recover adequately or quickly enough, and therefore decide to pay the ransom. You can’t secure what you can’t see While the infection method of the SamSam ransomware is still unclear, as always, cyber hygiene practic es should be the first line of defense. Preventing an attack (or being able to respond and isolate it quickly) requires a strong security foundation that is built on the complete visibility of the network. This pervasive visibility gives IT teams the ability to quickly identify potential exposures and attack paths. Skybox gives that visibility by consolidating data from more than 120 networking and security technologies that organizations have in use. The Skybox® SecuritySuite uses this information to create a dynamic model of an attack surface including physical, multi-cloud and OT networks where needed. The model provides context around all of the ingress/ egress points and complexities of the network and assets, thereby giving a detailed understanding of what a user is trying to defend. After building the model of the environment, Skybox will conduct a risk analysis to identify and prioritize weaknesses and vulnerabilities such as unprotected ingress/ egress points, misconfigured network devices, firewalls with overly permissive rules, exposed assets, exploitable attack vectors etc. Following the initial resilience assessment, the riskiest characteristics of the environment can be remediated to reduce risk quickly and in a demonstrable way – for example by addressing parts of the infrastructure for which there are no firewalls or where these are configured incorrectly; filling in vulnerability scanning blind spots; and recommending remediation and mitigation for high-risk vulnerabilities. Acting on this insight, the environment will immediately be more secure and resilient. If an attack or malware outbreak does occur, the user has a greater context to contain the attack quickly and eliminate the vectors.  

The key of the future is digital, and it offers more features than its analog predecessors – impossible to lose or steal, and there is never a need to search for it. That is because it is stored securely and specifically for each user in a smartphone app. “Our Perfectly Keyless app is making conventional vehicle keys a thing of the past. Bosch is taking the car key into the digital realm and making it available anywhere, anytime,” says Harald Kröger, President of the Bosch Automotive Electronics division. With Perfectly Keyless, the smartphone replaces the analog vehicle key. This concept can offer owners of private vehicles increased convenience, but where it really shines is in vehicle fleets with multiple drivers. No more key handovers – fleet managers and logistics providers simply use the app to give drivers access to the vehicles. “Bosch’s digital vehicle key gives fleets a boost towards greater connectivity,” Kröger says. The company believes there is a huge market for its solution, which is making its world debut at the IAA Commercial Vehicles in Hannover. The potential customers include some 15,000 logistics providers in Germany alone. Most of them manage at least a dozen vehicles and drivers. A keyless journey Row upon row of hundreds of keys hanging on large boards – logistics providers still often use this method to organize the keys to their fleet vehicles. A missing key triggers a massive search operation. But every minute counts, especially with commercial vehicles. After all, if a truck isn’t moving, it’s not making any money. At the core of the new system is an app that dispatchers and truck drivers both have on their phones. This makes it possible to grant vehicle access with just a few clicks. In the future, the Bosch solution will also allow logistics providers to completely integrate digital key management into their dispatch and scheduling systems. As soon as dispatch is assigned drivers and trucks to a route, the system automatically generates digital keys for the vehicles and sends them to the drivers’ smartphones. If the route scheduling changes, the software adjusts the keys accordingly. “Thanks to Bosch’s fully digital key management, logistics providers enjoy both security and flexibility in their planning. This is the only way the logistics of the future will be able to function efficiently,” Kröger says. Secure key management with app and cloud Bosch digital key management connects trucks and the smartphone app via the cloud. Dispatchers or fleet managers use the app to assign a truck to a driver for a particular route. Perfectly Keyless generates a personal, secure digital key and sends it via the cloud to the truck and to the driver’s smartphone. As the driver approaches the assigned truck, the sensors installed in the truck detect the smartphone via a wireless connection. The vehicle doors will open only if the key on the phone ‘fits’ the digital lock in the vehicle. These sensors can also tell when the driver is in the driver’s seat, and the engine starts up as soon as the driver presses the start-stop button. When the driver gets out of the car at the end of the journey, the system detects this and automatically locks the doors. Battery dead – No problem But what happens if the smartphone’s battery dies, or the device has gone missing? In the future, the vehicle key in the smartphone will work even if the phone battery is dead. In that case, the phone and truck will communicate using near-field communication (NFC), a wireless protocol for sharing data over short distances. Bosch plans to make it the ‘double hull’ of its solution. If the smartphone is lost or stolen, and the app with it, the digital key can be simply deactivated online, thus blocking access to the vehicle. It cannot be opened and started until the fleet manager uses the app to provide another driver or a new phone with access to the truck.

Oscar Wild in 18th century, wrote a play called, ‘Importance of being Earnest.’ The play talks about a wealthy gentleman called Jack, who uses the name of Earnest when visiting a different town. Jack’s friend Algernon (Algy) also christens an imaginary friend Bunbury. The author clearly points towards the different lifestyle that Jack lives when he switches the name. Both the characters indulge in deception, created by the two names, or the imaginary friend as per their convenience highlighting the importance of being Earnest. Earnest in English language is defined as a thing intended or regarded as a sign or promise of what is to come. The intended satire of this English classic, although first performed in 18th century fits in modern day cookie world also. The websites or the web tools use cookies to predict what you would like to see. Cookies are actually given to a browser by the server. These cookies, then help the website to determine your interests, your likes, your dislikes etc. So if you have searched for a thing on the web and find ads related to it when you are visiting social media platforms, it’s just your cookies telling your social media about your likes and dislikes. The social media is a small part of our daily life. We are living in a globalised world, where the distance is just a number. IT has revolutionised the way we communicate, the way we spend our time, the way we shop, and most importantly the way we work. We are living a data driven life, making data an important tool. Imagine, if just like our social media platforms, our work and related data are also used to predict what we wish to do. The indication in itself has two faces. One points towards Business Intelligence (BI) wherein the data is used to automate our daily process and the other points towards data access provided to users without our consent, commonly known as data leakage. The problem is exactly as has been raised in the play. Can we trust the web resources we have been relying upon? For BI the data moves in order to generate meaningful analysis, which can support business decisions, but the business is aware of the data movement and expects it to be turned into meaningful results. Apart from BI also, a huge amount of data flows from and within the organization. Be it through mail, phone calls, messages or marketing brochures. We are sharing the data, and if we are sharing the data, then what harm would a web portal sharing the data do? The answer to the dilemma is simple – when we share the data or the information, we are in total control. We can control the level of information that we share, as well as decide the receiver of the information. But in the case of our tool sharing the information, there is no control over what will be shared or how much would be shared. Recently, a social media giant was questioned for data privacy in the US. The organisation under question has a user base of millions and is a global brand. The brand is famous for not generating its own content, but has been accused of selling the customers’ information to a third party. The case for now seems to be confined to just social media, but if a similar thing happens with the web tool that we use for our official purpose, it will be a nightmares for business stakeholders. The impact of the harm from data leakage is hard to anticipate, and when we look at private security organisations the scenario turns into a complex equation. The organisation’s biggest resource is manpower which is exposed to high attrition. The manpower moves from agency to agency, and agencies are looking for guards. Hiring new guards brings training cost with it, making new hiring an expensive business. Along with the industry specific risk, the industry also faces the generic risk of exposing their contract/ tender value which can pose a direct danger to the agency’s income. The damage is not restricted to the private security organisation only but to the customer also. The customers hire private security agencies in order to protect their premises, but if the information such as guard allocation is out it can jeopardise customer’s security also. Specific to private security industry, a contradictory statement that is often heard in the industry is that the private security industry in India is highly unorganised. The ‘unorganised’ in the statement refers to the minimal usage of process solutions streamlining daily operations of the industry. But the statement is deceiving in its own terms. Most of the private security agencies rely readily upon available solutions. The commonly used solutions do not have any encryption and generate data in a format which can be easily transferred. The lack of encryption and easy availability of the solution makes the data prone to leakage. Some of the agencies have opted for offline solutions which, unlike the readily available solutions, are agency specific. These solutions need to be maintained in-house only. The private security agency has its expertise in manned guarding, and for an agency to invest in their solution maintenance is more of a cost than investment. Moreover, the technology changes rapidly, and the in-house software are often found lagging behind the latest technology, turning them into a burden for the agency rather than a solution. Cloud computing has revolutionised the world and looks like a perfect solution to the needs of the industry. Private security agencies should be able to relate to cloud computing more than any industry. Cloud computing is like giving our data to an expert to keep it secure and provide the authorised access whenever requested. Cloud solution providers deal in data and thus are well equipped to secure the data. There are solutions in the market which can work as a bridge between the agencies’ daily operations and cloud servers. These solutions…

With the growing number of schools in the United States with video surveillance, electronic access control and other traditional security systems, the number of potential ‘greenfield’ projects for suppliers falls. Declining numbers of new security system installations will lead to slowing market growth over the next five years. Even so, security manufacturers are looking to implement the following new security technologies to improve school safety, which would also help reignite market growth. HIGHLIGHTS The education sector of the market for security equipment and services reached $2.7 billion in revenue in 2017. As most schools have already implemented surveillance systems and access control systems, the market is expected to grow an average of just 1 percent annually, reaching $2.8 billion by 2021. According to survey data from the National Center for Education Statistics, the proportion of schools deploying video surveillance systems has risen from 20 percent in 1999 to over 70 percent in 2013. Likewise, the proportion of schools actively controlling the entrances to their buildings has risen from 75 percent to over 90 percent. Despite advancements in the level of security used on school premises, the number mass shootings at US schools has remained relatively constant throughout the past 30 years. When looking specifically at secondary schools, the number of mass shootings has reached an unprecedented high in the past five years. New technologies are currently being investigated to improve safety at schools, including facial recognition, logical and physical security identity management integration and high security classroom doors. Facial recognition technology Many of the video surveillance systems currently used in schools are not actively monitored and also lack any form of effective automated response. Adoption of facial recognition technology would allow the surveillance system to proactively search for potential threats and alert school administrators and security staff about unrecognized individuals in the building. Unfortunately, affordable facial recognition technologies are often unable to adequately recognize the number of faces in a typical school; plus, these systems can place a large strain on a school’s information technology network. Logical and physical security identity management integration Integrating the school’s access control database with a higher authority logical database – for example, a student directory – would allow the access rights of former staff, and students who have been expelled or already graduated, to be removed automatically. However, access control providers may find it difficult to get permission to access student records and other sensitive data. Education administrators may also be uncomfortable with possibly creating a potential avenue of cyberattack. High-security classroom doors with multipoint looking systems Higher-grade doors would create a far more effective barrier between students and potential attackers, creating numerous safe spaces throughout the building in emergencies. It’s also true, though, that purchasing thousands of doors would be expensive. Fire regulations often dictate that key entrances and exits remain fail-safe during emergencies. Locking and unlocking doors multiple times would also disrupt teaching. Weapons checks using metal detectors or x-ray machines at school entrances Using metal detectors or x-ray machines at entrances along the school perimeter makes bringing weapons into the school much more difficult. However, schools often have multiple entrances, which means each school would require multiple detectors or x-ray machines – both of which are expensive. The school would also need to hire additional security staff to operate each machine. Securing entrances in this manner would also mean long queues would form after breaks and lunchtime, reducing the free time of students and staff. Access Control Intelligence Service Entering its fourth full year, the IHS Markit Access Control Intelligence Service provides primary analysis of the equipment market, plus thorough investigation of key technology trends affecting the industry. Current topics of focus include: mobile access, logical and physical identity management integration, adoption of biometric technology and security system convergence. By Jim Dearing Security and Building Technologies, Senior Analyst, IHS Markit  

Smartphone brands are expected to increase their adoption of under-display fingerprint sensors, which allow phones to have full-screen displays with an invisible fingerprint feature, according to IHS Markit, a world leader in critical information, analytics and solutions. Shipments of smartphones using ‘underdisplay fingerprint sensor’ is forecast to reach at least 9 million units in 2018 and top 100 million units by 2019, according to the new Display Fingerprint Technology & Market Report – 2018 by IHS Markit. The market will keep growing remarkably for the next three years, led by Samsung Electronics and Chinese smartphone brands such as Vivo, Huawei and Xiaomi. By integrating the fingerprint sensor under the display of a smartphone, the phone can offer an invisible and front-side fingerprint feature with 18:9 or higher ratio full-screen displays. Applications using under-display fingerprint sensors, including the Vivo X20 and X21 and the Huawei Mate RS, were finally launched in late March. More are expected to come to market in the second half of 2018. Apple was the first to introduce fingerprint recognition as major biometric identification. It launched Touch ID on the iPhone in 2013, followed in 2015 by Android system’s native fingerprint sensing support, which has contributed to the market’s dramatic growth for the past few years. Due to its convenience and intuitive use, fingerprint recognition was applied to more than 60 percent of total smartphone shipments in 2017. User preferences for a better viewing experience gave rise to larger, full-screen displays on smartphones, but earlier models were limited to having the fingerprint sensors being placed outside the screen boundary. The introduction of rear-side fingerprint sensing came as a compromise to overcome these limitations with full-screen smartphones. Now, the under-display fingerprint solution allows for the sensor to return to the front side of the smartphone. “With Vivo and Huawei recently launching several models with the under-display fingerprint solution, it is certainly rising as a new trend,” said Calvin Hsieh, Director of Touch and User Interface Research at IHS Markit, “This also pressures Samsung Electronics, which hasn’t decided whether or not to adopt the solution in its Galaxy Note 9.” If Samsung applies the solution to the Galaxy Note 9, shipments of smartphones with the solution will hike to more than 20 million units in 2018, from the currently estimated 9 million units, IHS Markit predicts. Almost all fingerprint IC makers are interested in developing under-display fingerprint solutions because the profit margin is much higher than discrete solutions. Leading solution makers include Synaptics, Goodix, Qualcomm and Egis, followed by Samsung LSI, FPC, VkanSee, CrucialTec, BeyondEyes and FocalTech. Among panel makers, Samsung Display – with mature active-matrix organic light-emitting diode (AMOLED) panel manufacturing technology – takes the leading role as the under display fingerprint can be only applied to AMOLED for now, followed by BOE. The Touch Panel Market Tracker by IHS Markit provides a variety of in-depth analyses on touch panel market, including touch user interface technology, market dynamic and emerging trends.

NIST scientists have published statistical data needed for forensic DNA profiling based on a technology called Next Generation Sequencing. To do that, they sequenced forensic DNA markers for a sample population. The letters A, G, T, and C represent the building blocks of DNA. DNA is often considered the most reliable form of forensic evidence, and this reputation is based on the way DNA experts use statistics. When they compare the DNA left at a crime scene with the DNA of a suspect, experts generate statistics that describe how closely those DNA samples match. A jury can then take those match statistics into account when deciding guilt or innocence. These match statistics are reliable because they’re based on rigorous scientific research. However, that research only applies to DNA fingerprints, also called DNA profiles, that have been generated using current technology. Now, scientists at the National Institute of Standards and Technology (NIST) have laid the statistical foundation for calculating match statistics when using Next Generation Sequencing, or NGS, which produces DNA profiles that can be more useful in solving some crimes. This research, which was jointly funded by NIST and the FBI, was published in Forensic Science International: Genetics. “If you’re working criminal cases, you need to be able to generate match statistics,” said Katherine Gettings, the NIST biologist who led the study, “The data we’ve published will make it possible for labs that use NGS to generate those statistics.” How to create a dna profile To generate a DNA profile, forensic labs analyze sections of DNA, called genetic markers, where the genetic code repeats itself, like a word typed over and over again. Those sections are called short tandem repeats, or STRs, and the number of repeats at each marker varies from person to person. The analyst doesn’t actually read the genetic sequence inside those markers, but just counts the number of repeats at each one. That yields a series of numbers that, like a long social security number, can be used to identify a person. STR-based profiling was developed in the 1990s, when genetic sequencing was hugely expensive. Today, NGS makes sequencing cost-effective for biomedical research and other applications. NGS can also be used to create forensic DNA profiles that, unlike traditional STR profiles, include the actual genetic sequence inside the markers. That provides a lot more data. That extra data might not be needed because in most cases, STR-based profiles contain more than enough information to reliably identify a suspect. However, if the evidence contains only a minute amount of DNA, or if the DNA has been exposed to the elements and has begun to break down, then the analyst might only get a partial profile, which may not be enough to identify a suspect. In those cases, the extra data in an NGS-based profile might help solve the case. In addition, evidence that contains a mixture of DNA from several people can be difficult to interpret. The extra data in NGS-based profiles can help in those cases as well. Calculating match statistics DNA analysts are able to calculate match statistics for STR-based profiles because scientists have measured how frequently different versions of the markers occur in the population. With those frequencies, one can calculate the chances of randomly encountering a particular DNA profile, just as he can calculate the chances of picking all the right numbers in a lottery. NIST measured those STR gene frequencies years ago using a library of DNA samples from 1,036 individuals. To calculate gene frequencies for NGSbased profiles, Gettings and her co-authors cracked open the freezer that contained the original samples, which were anonymized and donated by people who consented to their DNA being used for research. The scientists generated NGS-based profiles for them by sequencing 27 markers – the core set of 20 included in most DNA profiles in the U.S. plus seven others. They then calculated the frequencies for the various genetic sequences found at each marker. It might be surprising that scientists can estimate gene frequencies from such a small library of samples. However, the NIST team was measuring frequencies not for the full profiles, but for the individual markers. Since they sequenced 27 markers, with each marker occurring twice per sample, the number of markers tested wasn’t 1,036, but more than 55,000 Although NIST has now published the data needed to generate match statistics for NGS-based profiles, other hurdles must still be cleared before the new technology sees widespread use in forensics. For instance, labs will have to develop ways to manage the greater amounts of data produced by NGS. They will also have to implement operating procedures and quality controls for the new technology. “Still, while much work remains,” said Peter Vallone, the Research Chemist who leads NIST’s Forensic Genetics Research, “We’re laying the foundation for the future.”