What the ban on facial recognition tech will – and will not – do

As San Francisco moves to regulate the use of facial recognition systems, we reflect on some of the many ‘faces’ of the fast-growing technology

Last week, San Francisco became the first city in the United States to ban the use of facial recognition technology, at least by law enforcement, local agencies, and the city’s transport authority. My immediate reaction to the headlines was that this was great for individuals’ privacy, a truly bold decision by the San Francisco board of supervisors.

The ordinance actually covers more than just facial recognition, as it states the following: “’Surveillance Technology’ means any software, electronic device, system utilizing an electronic device, or similar device used, designed, or primarily intended to collect, retain, process, or share audio, electronic, visual, location, thermal, biometric, olfactory or similar information specifically associated with, or capable of being associated with, any individual or group.”.

The ban excludes San Francisco’s airport and sea port as these are operated by federal agencies. Nor does it mean that no individual, company or other organizations installing surveillance systems that include facial recognition, and the agencies banned from using the technology, can cooperate with the people allowed to use it. For example, a video captured on a home security system can be used by law enforcement to assist in a criminal case.

One of the objections to facial recognition is that the technology has proved inaccurate, specifically when recognizing people of color and women. There could be many reasons for this, but one possible reason could be that the datasets used to train the software are not representative of those specific groups. As with all emerging technologies, they improve over time and as more data is captured and new technology is developed then these issues will be addressed and the accuracy will prevail.

Taking action to protect the privacy of individuals is clearly a step in the right direction. This particular ordinance caught my attention because, being British, I have witnessed the oversurveillance culture where you can’t walk on any street or drive on any road without being captured on numerous surveillance systems.

But, when reflecting on this ban and now being a resident of the San Francisco Bay Area I find myself considering whether law enforcement should have all the tools necessary to proactively project the public. If there are people on watch lists and such like, then maybe I want law enforcement to know where they are.

There are many uses for facial recognition. Many smart phones use the technology as authentication to unlock, social media use it to tag photos, and a California-based company called Cubic Corporation that develops the ticketing system for London’s Underground is now exploring whether facial recognition could be used to validate your journey.

One outstanding example of law enforcement using facial recognition was demonstrated in India when New Delhi’s police force identified 3,000 missing children within just four days of a trial launch. The technology was used on 45,000 children throughout the city and it identified 2,930 of them as having been recorded as missing.

Less congestion on transport, reuniting missing children with parents and equipping law enforcement with the best technology to keep the public safe are all positive uses of the technology. It would seem apparent that the issue is not the use of surveillance technology, but the potential for it to be misused.

For those of you wanting to take proactive steps to protect your identity from facial recognition systems, a pair of invisibility glasses could be the answer.

20 May 2019 – 06:55PM

CEO told to hand back 757,000 fraudulently obtained IP addresses


A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back after the American Registry for Internet Numbers (ARIN) won a landmark judgment against it.

The dispute began in late 2018 when ARIN, which allocates IPv4 addresses in the US, Canada and parts of the Caribbean on a non-profit basis, discovered that a company called Micfo and its owner Amir Golestan had fraudulently tricked it into handing over the IP blocks.

IPv4 addresses are in incredibly short supply (see below), which means that getting hold of them involves waiting lists. Scarcity also makes them valuable on resale – between $13 and $19 each. That would make the IP addresses Micfo obtained worth between $9.8 million and $14.3 million.

Not surprisingly, cases of pocket-lining IP address fraud have risen, as ARIN’s senior director of global registry knowledge, warned about in conference presentation in 2016.

Second-hand addresses

How do the fraudsters get hold of the addresses? By using the simple technique ARIN accused Micfo of deploying.

The key is that a lot of IPv4 addresses were handed out in the past when nobody worried about shortages – a surprising proportion of which fell into disuse.

Criminals attempt to detect these dormant ranges using public data from ARIN and Whois, checking which ones are still being used (i.e. routed).

If they’re not, and no longer have an active admin, they attempt to take them over using re-registration, claiming rights to them from ARIN.

According to ARIN, from 2014 onwards Golestan and Micfo used 11 ‘shelf’ companies across the US as fronts to obtain the 757, 760 IP addresses, backing this up with faked notarised affidavits from staff who turned out not to exist.

Even when ARIN detected the fraud, Micfo continued to resist, seeking a restraining court order against the organisation. It also filed for arbitration, the first time this has happened in such a case.

On 1 May, Micro lost this arbitration and was ordered to hand back the addresses and pay ARIN $350,000 to cover legal fees. Golestan now faces charges of wire fraud carrying a possible 20-year sentence.

Some of the addresses are being used by bona fide buyers and probably won’t be returned. Nevertheless, the case has highlighted the growing problem of IP address fraud. Said ARIN president and CEO, John Curran:

We are stepping up our efforts to actively investigate suspected cases of fraud against ARIN and will revoke resources and report unlawful activity to law enforcement whenever appropriate.

Why the shortage?

As a 32-bit addressing scheme, IPv4 is limited to a maximum of 232,  or 4,294,967,296, possibilities. When it was defined decades ago, that seemed plenty.

Even though not every device needs one of these addresses (router/ISP Network Address Translation hides lots of networks and devices behind a single IP), this won’t work for routable servers receiving incoming traffic.

Warnings about the imminent exhaustion of these IPv4 addresses go back years with IANA announcing that it was running out in 2011, followed by Europe’s RIPE in 2012, and North America’s ARIN in 2015.

What they meant by ‘running out’ is that as time passes they are managing scarcity by handing out smaller and smaller blocks of addresses to organisations requesting them.

Ironically, a lot of already allocated IPv4 addresses are still out there and have merely fallen into disuse, which is where address recycling comes in.

The long-term solution of supposed to be IPv6, finalised in 1998, which increases the address space to 128 bits and the number of possible IP addresses to a very large number (2128).

The problem with moving to IPv6 is that it because it requires operating systems, websites and routing hardware to support it, migration is happening very slowly.

If you already have a website registered at an IPv4 address, why bother firing up an IPv6 equivalent? Having an internet with two separate address spaces is like driving on the left but being told that it might be a good idea to drive on the right too – people understandably stick to what they know.

What might eventually drive people to IPv6 in is economics. As soon as the cost of IPv4 addresses crosses a threshold, IPv6 will suddenly look more attractive.

Unfortunately, exactly the same thing will draw criminals to second-hand IPv4 addresses. ARIN’s latest case is unlikely to be its last.

Brave browser concerned that Client Hints could be abused for tracking


The people at privacy-focused browser, Brave, have criticised an industry proposal it says would make it easier for websites to identify a browser using a passive, cookie-less technique called fingerprinting.

Called HTTP Client Hints, the proposal provides a standard way for a web server to ask a browser for information about itself. It comes from the Internet Engineering Task Force (IETF). This organization works with industry members to create voluntary standards for internet protocols, and it has a lot of power. It standardized TCP and HTTP, two of the internet’s foundational protocols. 

HTTP already offers a technique called proactive negotiation, which lets a server ask a browser about itself. This technique makes the browser describe its capabilities every time it sends a request, though. That takes too much bandwidth, says the IETF.

Client Hints makes things easier. It defines a new response header that servers can send whenever they like, asking the browser for information about things like its display width and height in pixels, the amount of memory it has, and its colour depth. 

The IETF says that Client Hints would make it easier for servers to deliver the right content for a browser. You wouldn’t want a massive picture delivered if you’re viewing on a mobile device, for example.

So Client Hints doesn’t seem to ask the browser for information that a server couldn’t already find by other means. And, in fact, in its security guidelines for those implementing the proposed standard, the IEFT urges them not to request any information to the server that isn’t available via other means (such as HTML, CSS, or JavaScript). 

This doesn’t mollify the team at Brave, though. It views Client Hints as yet another tracking method providing a way for browsers to serve up information about users. It says:

Brave is working on preventing websites from learning many of these values using JavaScript, while at the same time not breaking websites; adding Client-Hints into the browser platform would expose an additional tracking method to block and potentially make it even more difficult to maintain a usable, private Web.

Third-party delegation

Brave also dislikes another part of Client Hints: It lets a server instruct a browser to send its information to third parties (a process it calls third-party delegation). These other websites could include advertising networks serving up ads on a page.   

The Client Hints proposal also makes it easier for companies in between your browser and the website you’re visiting to know more about your device, warns Brave. It’s referring here to content distribution networks (CDNs). These are services that cache website content around the world so it’s closer to the people that read it, improving website performance. 

The IETF proposal urges developers to only deliver Client Hints to the website they’re viewing (the origin), rather than to third party sites that may interact with it. But these security guidelines are just that: guidelines. The technology itself won‘t stop unscrupulous sites from contravening them.

Brave points out that it is the server that opts to serve these requests, and that users don’t get to choose:

The browser won’t send the values unless the server requests them, but should provide them when the server does request them.

Opt-in mechanisms for the user themselves aren’t mandatory, apparently because it’s hard to explain. The IETF proposal says: 

Implementers MAY provide user choice mechanisms so that users may balance privacy concerns with bandwidth limitations. However, implementers should also be aware that explaining the privacy implications of passive fingerprinting to users may be challenging.

Ultimately, browser vendors will have the right to implement the standard or not, and Brave can do as it sees fit. Even if major browsers do opt to implement it, most have shown a willingness to hobble the standards if they’re abused for fingerprinting instead of the intended purpose.

Facebook bans accounts of fake news firm


Facebook has shut down 265 fake accounts, many linked to an Israel-based social media company, that were being used to spread fake news and influence political discourse in a number of nations – mostly in Africa, but also in Latin America and Southeast Asia.

The company announced on Thursday that the accounts, which were on both Facebook and Instagram, had engaged in what Facebook dubbed “coordinated inauthentic behavior.”

In the ongoing back-and-forth over the use of social media as a platform from which to launch political meddling, companies such as Facebook and Twitter have been wrestling with the way their platforms have been used to spread disinformation. Singling out a company like Facebook did with Archimedes Group is a new twist, though.

The company promises its clients that it can bend reality for them. Archimedes Group, based in Tel Aviv, calls itself a leader in large-scale, worldwide “campaigns” and promises to “use every tool and take every advantage available in order to change reality according to our client’s wishes.”

…at least, the site was promising that when the Washington Post wrote up the news. Its site is strange to navigate, so either I can’t find that text, or perhaps Archimedes Group has yet again warped reality… and tweaked its site to remove the “by any means necessary” message.

Nathaniel Gleicher, Facebook’s head of global cybersecurity policy, said in Thursday’s post that the Pages and accounts weren’t taken down because of their content. Rather, it was their coordinated behavior that set off red flags:

As in other cases involving coordinated inauthentic behavior, the individuals behind this activity coordinated with one another to mislead others about who they were and what they were doing, and that was the basis for our action.

Gleicher said that the people behind the network used fake accounts to run Pages, disseminate content and artificially pump up engagement. They also lied about being locals – including local news organizations – and published what was allegedly leaked information about politicians.

Facebook’s investigation showed that some of the activity was linked to Archimedes Group, which it banned from both its main platform and its Instagram service. Facebook also sent the company a cease and desist letter.

Before the ban, Archimedes Group was running 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts. The Pages and accounts frequently posted about politics, including elections, candidate views and criticism of political opponents, focusing mainly on the African nations of Nigeria, Senegal, Togo, Angola, Niger and Tunisia, along with some activity in Latin America and Southeast Asia.

The Pages and accounts had about 2.8 million followers, and about 5,500 accounts joined at least one of the Groups. About 920 people followed one or more of the Instagram accounts.

Facebook says that the accounts paid it around $812,000 for Facebook ads, paid for in Brazilian reals, Israeli shekel, and US dollars. The accounts took out their first ad in December 2012, while the most recent ad ran last month.

The Pages hosted nine events between October 2017 and May 2019, with up to 2,900 people having expressed interest in at least one of the events. Facebook couldn’t determine whether any of those events actually took place.

Who’s behind it?

While Facebook traced much of the coordinated, “inauthentic” behavior to Archimedes Group, it’s unclear who paid the Israeli firm for the disinformation campaign(s). Graham Brookie, the director of the Digital Forensic Research Lab at the Atlantic Council, told the Washington Post that it’s easy enough to follow the ad-buying money trail to Archimedes, but it gets hazy after that:

The useful thing about the ads is it gives us high confidence it was Archimedes, but it doesn’t give us high confidence who was paying Archimedes.

The lack of transparency into who’s behind the first hop in the money trail points to a vulnerability in Facebook’s transparency tools, he noted. What we do know is that somebody doesn’t mind paying for bogus news:

It is disinformation for money. It’s the convergence of ideological disinformation, and disinformation for economic gain.

The use of coordinated accounts in disinformation campaigns was one of the techniques used by the Russian government-linked propaganda factory known as the Internet Research Agency (IRA) during the disinformation campaign around the 2016 US presidential election.

Using both Facebook and Instagram was another similarity between the Archimedes Group and the IRA. In reports prepared for the Senate Intelligence Committee and released in December, researchers concluded that while Facebook, Twitter or Google reached the most amount of people, Instagram was where the action was: that’s where the disinformation and political meddling posts got far more play.

In a years-long propaganda campaign that preceded the election and which didn’t stop after, Facebook’s photo-sharing subsidiary generated responses that dwarfed those of other platforms: researchers counted 187 million Instagram comments, likes and other user reactions, which was more than Twitter and Facebook combined.

But just because the Archimedes Group used similar tactics to the IRA doesn’t suggest anything more than that the Archimedes Group, like others around the globe, can easily take a page from Russia’s playbook. As it is, disinformation campaigns, and the tactics used therein, are now being widely deployed around the world, experts told the Post – including in the US.

Bots rigged Russian finale of ‘The Voice Kids’ talent show


Sure, bots might be all over the US electorate, but this is serious. This is The Voice. Think of the children!

That’s what Russian bots were doing, in fact: robo-thinking of the children. Make that one child in particular – the daughter of pop singer Alsou and wealthy businessman Yan Abramov, whom they robo-voted in by a suspiciously large margin to win the sixth season of Russia’s popular TV talent show “The Voice Kids.”

Mikella Abramova, 10, won with 56.5% of the phone-in vote.

The state-owned channel that broadcasts the show, Channel One TV, announced on Thursday that it had decided to cancel the results of the vote.

Channel One said it’s working on boosting the safety of the voting system – before the start of the next season – so this never happens again.

What happened in the 6th season of “Voice of the Child” should be the first and the last case when someone tried to control the audience choice.

It came to the decision after having called on Group-IB to investigate the vote. Group-IB, an infosec firm that analyzes threats originating in Russia and Eastern Europe and which is an official partner of Interpol and Europol, released the initial results of that investigation on Thursday and said that their investigation is ongoing.

Massive text and call spamming

What it’s found so far: analysis of text and voice messages show “massive automated SMS spamming” in favor of one of The Voice Kids participants. In other words, bots placing a slew of robocalls and robo-SMS messages.

More than 8,000 text messages were sent from about 300 phone numbers during the vote. Whoever spammed the voting system used sequential phone numbers to send automated votes.

Group-IB’s analysis found that whoever pulled off the “massive vote manipulation” ran into a technical glitch: a piece of code designed to automate the sending of messages wound up in the text messages. One number in that stray string of code indicated the participant’s phone number – a clue that enabled Group-IB to determined that all of the 300 phone numbers behind the 8,000 text messages were sent by one person, using the same rate plan.

As far as calls go, Group-IB ranked voting regions and found one, in particular, that was unusually active after the start of voting. Sequential calls placed by bots in that region accounted for more than 30,000 calls for one participant.

According to the BBC, Russia’s Kommersant Daily reported that other competitors received less than 3,000 votes each.

More than unfair

Robocalls and robo-texts aren’t just unfair to kids competing in a talent competition. They do more than skewer what should be fair elections, and they’re more than just illegal and aggravating – they’re also dangerous. Reports indicate that out of the four billion illegal robocalls made in August 2018 alone, 1.8 billion were associated with a scam. Analysis by global communications platform First Orion done at that time predicted that by this year, half of all mobile calls would be scams.

In the US, state attorney generals have been pleading with the Federal Communications Commission (FCC) to pull the plug on robocalls. A huge part of the problem is that it’s cheap and easy, the AGs said:

Virtually anyone can send millions of illegal robocalls and frustrate law enforcement with just a computer, inexpensive software (i.e., auto-dialer and spoofing programs), and an internet connection.

That’s backed up by the testimony of the “robocaller king” himself, Adrian Abramovich. A year ago, the FCC fined Abramovich $120 million for the nearly 97 million spoofed calls his marketing companies made to sell vacations at resorts that, surprise surprise, turned out to be so not the Marriott, Expedia, Hilton and TripAdvisor vacations initially mentioned.

In April 2018, the Senate Commerce, Science & Transportation Committee had subpoenaed Abramovich to explain exactly how easy it is to download automated phone-calling technology and to spoof numbers to make it look like calls are coming from a local neighbor.

What he told senators:

There is available open source software, totally customizable to your needs, that can be misused by someone to make thousands of automated calls with the click of a button.

Don’t blame the kids

Poor Mikella. We assume that she didn’t want to win by somebody flipping the switch on a bot voting onslaught, and now that invalidated vote has been taken away from her.

The Voice Kids, a worldwide franchise, was spun off from the hugely popular talent show The Voice. Channel One plans to celebrate “all the kids’ remarkable talent” with a special one-off show on 24 May, “in which all the season finalists and the semi-finalists will perform”, it said.

Don’t blame the children for any of this, Channel One said. It’s not their fault. Each participant becomes a member of the big Voice family, the station said, and “in a difficult moment, families become even more united.”

Hopefully, Mikella will be there at the second finale, getting a second try, belting it out on a more level playing field.

Monday review – the hot 20 stories of the week


Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 13 May 2019 Tuesday 14 May 2019 Wednesday 15 May 2019 Thursday 16 May 2019 Friday 17 May 2019 Latest videos

Microsoft has fixed an RDP vulnerability that can be exploited remotely, without authentication and used to run arbitrary code.

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

A WhatsApp zero-day has allowed an “advanced cyber actor” to successfully install spyware on victims’ phones with no more than a phone call.

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

News, straight to your inbox

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Keeping Passwords Simple


You are often told your passwords are key to protecting your accounts (which is true!), but rarely are you given a simple way to securely create and manage all your passwords. Below we cover three simple steps to simplify your passwords, lock down your accounts, and protect your future.


The days of crazy, complex passwords are over. Those passwords are hard to remember, difficult to type, and with today’s super-fast computers can be easy for a cyber attacker to crack. The key to passwords is to make them long; the more characters you have the better. These are called passphrases: a type of strong password that uses a short sentence or random words. Here are two examples:

Time for strong coffee! lost-snail-crawl-beach

Both of these are strong, with over twenty characters, easy to remember, and simple to type but difficult to crack. You will run into websites or situations requiring you to add symbols, numbers, or uppercase letters to your password, which is fine. Remember though, it’s length that is most important.

Password Managers

You need a unique password for every account. If you reuse the same password for multiple accounts, you are putting yourself in great danger. All a cyber attacker needs to do is hack a website you use, steal all the passwords including yours, then use your password to log in to all your other accounts as you. It happens far more often than you realize. Don’t believe it? Check out the website www.haveibeenpwned.com to see what sites you use that have been hacked and your passwords potentially compromised. So what should you do? Use a password manager.

These are special computer programs that securely store all your passwords in an encrypted vault. You only need to remember one password: the one for your password manager. The password manager then automatically retrieves your passwords whenever you need them and logs you in to websites for you. They also have other features such as storing your answers to secret questions, warning you when you reuse passwords, a password generator that ensures you use strong passwords, and many other features. Most password managers also securely sync across almost any computer or device, so regardless of what system you are using you have easy, secure access to all your passwords.

Finally, be sure to write down the password to your password manager and store that in a secure location at home. Some password managers even let you print out a password manager recovery kit. That way, if you forget the password to your password manager you have a backup. Or, if you get sick or find yourself in an emergency, your spouse or trusted family member can retrieve the information on your behalf.

Two-Step Verification

Two-step verification (often called two-factor authentication or multi-factor authentication) adds an additional layer of security. It requires you to have two things when you log in to your accounts: your password and a numerical code which is generated by your smartphone or sent to your phone. This process ensures that even if a cyber attacker gets your password, they still can’t get into your accounts. Two-step verification is simple to set up and you usually only need to use it once when you log in from a new computer or device. Enable this whenever possible, especially for your most important accounts such as your bank or retirement accounts, or access to your email. If you are using a password manager, we highly recommend you protect it with a strong passphrase AND two-step verification.

It may sound silly, but these three simple steps go a long way in protecting your job, your reputation, and your financial future.

Subscribe to OUCH! and receive the latest security tips in your email every month. 


Have I Been Pwned:  https://haveibeenpwned.com/
Two-factor Authentication Site:  https://twofactorauth.org/
Long Live the Passphrase:  http://www.sans.org/u/OKJ
Time for Password Expiration to Die:  http://www.sans.org/u/OKO
NIST SP800-63B Digital Identity Guidelines:  https://pages.nist.gov/800-63-3/sp800-63b.html

OUCH! is published by SANS Security Awareness and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. Editorial Board: Walt Scrivens, Phil Hoffman, Alan Waggoner, Cheryl Conley

Account Hijacking Forum OGusers Hacked

Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.

On May 12, the administrator of OGusers explained an outage to forum members by saying a hard drive failure had erased several months’ worth of private messages, forum posts and prestige points, and that he’d restored a backup from January 2019. Little did the administrators of OGusers know at the time, but that May 12 incident coincided with the theft of the forum’s user database, and the wiping of forum hard drives.

On May 16, the administrator of rival hacking community RaidForums announced he’d uploaded the OGusers database for anyone to download for free.

The administrator of the hacking community Raidforums on May 16 posted the database of passwords, email addresses, IP addresses and private messages of more than 113,000 users of Ogusers[.]com.

“On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected,” the message from RaidForums administrator Omnipotent reads. “I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).

The publication of the OGuser database has caused much consternation and drama for many in the community, which has become infamous for attracting people involved in hijacking phone numbers as a method of taking over the victim’s social media, email and financial accounts, and then reselling that access for hundreds or thousands of dollars to others on the forum.

Several threads on OGusers quickly were filled with responses from anxious users concerned about being exposed by the breach. Some complained they were already receiving phishing emails targeting their OGusers accounts and email addresses. 

Meanwhile, the official Discord chat channel for OGusers has been flooded with complaints and expressions of disbelief at the hack. Members vented their anger at the main forum administrator, who uses the nickname “Ace,” claiming he altered the forum functionality after the hack to prevent users from removing their accounts. One user on the Discord chat summed it up:

“Ace be like:

-not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave”

It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.

Tags: , , , ,

Cisco AMP for Endpoints excelling in AV Comparatives Business Main Test Series

AV-Comparatives have long been the benchmark of 3rdparty testing in the endpoint security space. This year, for the first time ever, AMP for Endpoints participated in AV-Comparatives malware testing. The Business Main Test Series was broken up into two main sections: the Malware Protection Test and Business Real-World Protection Test.

While the full report will be released in July, AV-Comparatives released a short fact sheet today. Because the test is only partially completed, the results will continue to vary, but Cisco AMP for Endpoints expects to maintain consistently high scores.


First, let’s give the brief facts behind the Business Main Test Series:

19 products are participating All products tested on a Windows 10 RS5 64-bit All vendors were allowed to configure their products Cloud and PUA detection activated in all products

Given these parameters, the 19 products will participate in a fourth month test culminating in July. At this midpoint, however, the products have participated in the two aforementioned tests.

For more information on specific configurations and a list of all participants, read the full fact sheet here.

Malware Protection Test 

In this test, the products were tested with 1,311 different malware samples. Based on criteria defined by AV-Comparatives in their report, the products were given parameters to detect the malware samples.

So far, AMP for Endpoints is one of eight products to have a malware protection rate of 99.8% or higher. In addition to this extremely high detection rate, AMP for Endpoints registered 0 false alarms on common business software.

AV-Comparatives also performed tests on non-business software. This will not affect the final “Approved Business Product” rating they deliver, but the results are notable as it helps to demonstrates how well a product can really delineate between good and bad. Cisco AMP for Endpoints was granted the highest rating of “very low “which denotes 0-5 false positives on non-business software.

Cisco AMP for Endpoints consistently pledges to deliver elite threat detection, investigation, and response. The 99.8% malware protection rate so far highlights Cisco AMP for Endpoint’s ability to deliver on that pledge. At the same time, the low number of false positives shows that Cisco AMP for Endpoints does not need to bog down IT professionals with useless alerts allowing them to focus on what’s really important.

Real-World Protection Test

Over the course of two months, the products encountered 389 test cases. Of the 389 test cases, Cisco AMP For Endpoints has blocked all but three while producing ZERO false alarms. Resulting in a 99.2% protection rate so far. Cisco AMP For Endpoints is only one of three products to have zero false alarms. Others have already flagged up to 18 false alarms.


It is important to note that this test has not concluded. We are, however, very excited for a continued strong showing from Cisco AMP for Endpoints in the second half of the test. So far, Cisco AMP for Endpoints has already shown an elite combination of threat detection, investigation, and response combined with low false positives designed to empower IT professionals to quickly identify and respond to threats.

For more on the report, click here.

To try AMP for Endpoints for free, sign up for the free trial.


Week in security with Tony Anscombe

ESET researchers detail how ASUS’s cloud service has been abused to distribute the Plead malware; in other news, ESET’s telemetry shows that the use of the EternalBlue exploit is reaching new highs

ESET researchers document how attackers have distributed the Plead malware via compromised routers and man-in-the-middle attacks against the legitimate ASUS WebStorage software. In other news, two years after the EternalBlue exploit powered the WannaCryptor ransomware outbreak, data from ESET telemetry shows that the use of the exploit is now at its peak. All this – and more – on WeLiveSecurity.