What you need to know for your personal cyber security life…
Number Nineteen in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday now is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the loop.
# # #
New attack on HTTPS crypto might reveal if you’re pregnant or have cancer
- By Dan Goodin
- Ars Technica
- March 6 2014
As the most widely used technology to prevent eavesdropping on the Internet, HTTPS encryption has seen its share of attacks, most of which work by exploiting weaknesses that allow snoops to decode cryptographically scrambled traffic. Now there’s a novel technique that can pluck out details as personal as someone’s sexual orientation or a contemplation of suicide, even when the protection remains intact.
A recently published academic paper titled “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis” shows how even strongly encrypted Web traffic can reveal highly personal information to employers, Internet service providers, state-sponsored spies, or anyone else with the capability to monitor a connection between a site and the person visiting it. As a result, it’s possible for them to know with a high degree of certainty what video someone accessed on Netflix or YouTube, the specific tax form or legal advice someone sought from an online lawyer service, and whether someone visiting the Mayo Clinic website is viewing pages related to pregnancy, headaches, cancer, or suicide.
The attack works by carefully analyzing encrypted traffic and taking note of subtle differences in data size and other characteristics of the encrypted contents. In much the way someone holding a wrapped birthday present can tell if it contains a book, a Blu-ray disk, or a box of candy, an attacker can know with a high degree of certainty the specific URL of the HTTPS-protected website. The transport layer security and secure sockets layer protocols underpinning the Web encryption specifically encrypt the URL, so until now, many people presumed an attacker could only deduce the IP address of a site someone was visiting rather than specific pages belonging to that site.
# # #
Visa CFO: ‘Quite a bit of investment
‘ needed to install chip technology
- By Larry Dignan
- Between the Lines
- ZDNet News
- March 6, 2014
Visa’s chief financial officer said that securing retail point-of-sale infrastructure will take a hefty investment, chips on credit cards are critical and better encryption may be the fastest way to secure transactions.
Byron Pollitt, CFO of Visa, said at the Morgan Stanley Technology Media & Telecom conference that cybersecurity is the No. 1 topic in the payment ecosystem following the widely publicized data breaches at Target. Target CIO Beth Jacob resigned on Wednesday.
Pollitt characterized security as a never-ending investment cycle for retailers. In the near term, Pollitt said Visa will be “pushing more in the encryption activity. Encryption that goes beyond the minimum required to be PCI compliant.”
Why? Better encryption could be implemented the fastest. So-called chip and PIN technology is also critical, but will take more time to implement, he said. EMV (Europay, Mastercard, Visa) puts chips on cards and makes them harder to counterfeit. About 70 percent of fraud revolves around the magnetic stripe on credit cards.
# # #
The greatest security story never told — how Microsoft’
s SDL saved Windows
- By John E Dunn
- 06 March 2014
Microsoft has launched a new website to “tell the untold story” of something it believes changed the history of Windows security and indeed Microsoft itself — the Software Development Lifecycle or plain ‘SDL’ for short.
For those who have never heard of the SDL, or don’t have the remotest idea why it might be important, the new site offers some refreshingly candid insights to change their minds.
Without buying into the hype, the SDL can still fairly be described as the single initiative that saved Redmond’s bacon at a moment of huge uncertainty in 2002 and 2003. Featuring video interviews with some of its instigators and protagonists, the new site offers outsiders a summary of how and why Microsoft decided to stop being a software firm and become a software and security firm in order to battle the malware that was suddenly smashing into its software.
Few outside the firm knew of the crisis unfolding inside its campus but not everyone was surprised. Microsoft now traces the moment the penny dropped to the early hours of a summer morning in 2001, only weeks before it was due to launch Windows XP to OEMs.
# # #
Criminals on Tor is the price of global liberty
- By Antone Gonsalves
- CSO Online
- March 06, 2014
Research pointing to rising criminality on Tor shows the cost of having a network that provides anonymity to whistleblowers, journalists, political dissidents and others trying to avoid government surveillance.
Experts agreed on Thursday that nothing could be done to prevent cybercriminals from using Tor without raising the risk to legitimate users. Recent research by Kaspersky Lab expert Sergey Lozhkin found that “the cybercriminal element is growing” on the anonymity network.
The way Tor is used by Chinese dissidents to skirt the Great Firewall and oppressive censorship is the same way criminals cloak the operators of marketplaces and forums where criminals can rent botnets for DDoS attacks or to distribute malware, buy stolen credit card numbers and launder bitcoins, the most widely used currency on the dark Web.
“If it were possible to stop criminals from using Tor, it would be useless,” Julian Sanchez research fellow at the Cato Institute, said. “After all, the dissidents who use it to protect themselves are considered criminals by their own regimes.”
# # #
What Will $5 Billion in Military Cyber Spending Pay For?
- By Patrick Tucker
- March 5, 2014
The Pentagon’s wants $5.1 billion for cyber operations next year, an increase of about $4 million over this year’s budget, but exactly what the military wants to buy with that money is unclear.
“There’s no set of program elements that led to this number. Maybe there needs to be, but right now there isn’t,” said outgoing comptroller Bob Hale, rolling out the Obama administration’s fiscal 2015 spending request at the Pentagon on Tuesday.
Budgeting for more cybersecurity makes sense to defense planners who argue the threat continues to grow. But how to spend that money is still very much up for debate at the Pentagon.
“The question isn’t the funding side, but figuring out the proper roles and responsibilities, especially in how the line is better set between DOD, the rest of government and private responsibilities,” said Peter Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution. Though that’s not a new worry, either.
# # #
CIO not the only one to blame for Target breach
- By Jaikumar Vijayan
- March 5, 2014
That someone had to take the fall for the massive breach at Target is neither surprising nor unexpected. The only question is whether more heads will roll in the aftermath of one the biggest data compromises in retail history.
Target on Wednesday announced that Beth Jacob, its CIO of more than five years, had resigned. The move comes less than two months after the retail giant disclosed it had suffered a data breach that exposed sensitive data on more than 40 million credit and debit cards.
Later, the company announced that emails, addresses and other information on another 70 million people might also have been exposed as the result of the intrusion, which occurred over the 2013 Thanksgiving weekend.
In a statement to the Associated Press, Target CEO Gregg Steinhafel said the company is searching for an interim CIO to help it through an information security overhaul that began after the breach.
# # #
Hospital records used to ‘target ads on Twitter and Facebook’ say privacy campaigner
s, in latest NHS data concerns
- By CHARLIE COOPER
- HEALTH REPORTER
- 03 March 2014
The security of NHS data was thrown into further doubt yesterday after it emerged anonymous patient information has been used by a marketing consultancy to advise clients on targeting their social media campaigns.
It comes amid growing concerns over plans to trawl patient records from every GP surgery in England, which were postponed last month after NHS chiefs admitted they had not done enough to inform and reassure the public about the scheme, known as care.data. MPs sought reassurances last week that the GP data, which could be accessed by researchers and approved private companies, would not be vulnerable to breaches of patient confidentiality.
In another blow to public confidence in the scheme, it was also reported yesterday that the entire hospital episodes statistics (HES) dataset has been uploaded to Google servers. A management consultancy firm called PA Consulting used Google tools to create interactive maps out of HES data, it emerged. The HSCIC said it had received assurances that no Google staff would be able to access the data, and the firm said that the data was “held securely”.
Medconfidential, which campaigns for better security around medical records, said that they were also concerned that HES data had been released, in pseudonymised form, to a consultancy firm, Beacon Dodsworth, which uses a coded version of HES data to help its clients “establish trends and understand patterns allowing you to tailor you social marketing or media awareness campaigns.” Its chairman, Geoff Beacon, told The Independent that the firm had “not been allowed near the raw data”, which had been handled by a public sector health observatory.
# # #
The Open Enigma Project Kickstarte
- By William Knowles
- Senior Editor
- InfoSec News
- March 5, 2014
Imagine having this iconic device on your desk: You can use it to simply display a scrolling marquee of any text message on its unique LED screen or encrypt/decrypt any information you wish to use (still today) a very secure key. This is an ideal device to teach or learn about encryption, history & math. Because of its open software & the community of developers, the possibilities are endless & your reward is bound to increase in value over time as new applications (like e-mail encryption, secure router, etc) are written.
The original (pre-war) Enigma code was initially broken in Poland and subsequently by a team of Bletchley Park cryptologists under the leadership of U.K.’s own Alan Turing who is one of the fathers of computer science. Bletchley Park’s ability to break the Enigma code is believed to have shortened World War II by about 2 years. Enigma machines are an extremely rare and important part of computing history. A real Enigma machine sold for $200,000 in 2011.
Transforming a prototype into a production unit takes a lot of effort, time & MONEY. This is where you come in! Whether you are brand new to the world of Encryption or a seasoned Cryptologist, whether you know every detail of the German Enigma’s story or it’s news to you, YOU can help us write it’s future.
Not only will your pledge let you enjoy this phenomenal product, but it will also help us continue to develop it’s feature set.
# # #
Italian spyware firm relies on U.S. Internet servers
- By Ellen Nakashima and Ashkan Soltani
- The Washington Post
- March 3, 2014
An Italian computer spyware firm, whose tools foreign governments allegedly have used to snoop on dissidents and journalists, relies heavily on the servers of U.S. Internet companies, according to a new report.
At least 20 percent of the servers used by clients of Hacking Team, based in Milan, are located in the United States, effectively making the companies that own those servers key nodes in a hidden global network of spyware servers, according to a report to be released Tuesday by Citizen Lab, at the University of Toronto’s Munk School of Global Affairs.
The discovery raises ethical questions for the cloud companies whose servers Hacking Team clients use to surreptitiously take control of targets’ computers and phones, turn on Web cameras and intercept encrypted communications. And it comes amid a growing cry for export controls on such software.
The United States was home to the single largest concentration of Hacking Team servers detected since May 2012, according to the researchers. Of the 555 machines identified worldwide, the researchers found that 80 belonged to Linode, a New Jersey firm, and that 40 of those were in the United States.
# # #
DHS proposes $1.25 billion for cybersecur
- By David Perera
- March 4, 2014
The proposed Homeland Security Department cybersecurity budget for the coming federal fiscal year amounts to $1.25 billion, show budget documents released today.
DHS over the course of the Obama administration has assumed an increasingly central role in securing federal networks and in urging private sector companies considered to be “critical infrastructure” into better cybersecurity practices.
Under the cybersecurity executive President Obama signed in 2013 (EO 13636), DHS now also has the task of encouraging critical infrastructure firms into adopting the framework of controls released by the National Institute of Standards and Technology in February.
An overview of the DHS fiscal 2015 budget proposal shows DHS planning to spend $8.5 million on a voluntary adoption program.
Other notable elements of the DHS cybersecurity proposal include:
# # #
No special treatment for China on XP, patches end April 8 in the PRC, too
- By Gregg Keizer
- March 3, 2014
Microsoft today said it has not changed the end-of-support policy for Windows XP users in China, and will still cut off those customers — as it will others around the world — from security patches after April 8.
“Nothing has changed regarding Windows XP support,” a Microsoft spokeswoman said in an email reply to questions.
Earlier today, a story by the IDG News Service, which is operated by IDG, the parent company of Computerworld, reported that Microsoft’s China arm had announced some Windows XP security-related news.
Essentially, Microsoft said it was working with several Chinese antivirus (AV) vendors to continue security software support of XP, and to provide signature updates — the “fingerprints” of newly-discovered malware that makes it possible for an AV engine to detect and block those threats — for that software.
# # #
Could the NHS give you a computer virus? Outdated software is putting official sites at risk of attack
- By James Temperton
- Computer Active Magazine
- 4 March 2014
Hundreds of NHS websites have huge security flaws that could see them taken over or defaced by hackers.
During investigations, more than 2,000 vulnerabilities have been found, with experts warning criminals could use these flaws to easily infect people’s computers and steal their personal information.
There are said to be around 5,000 NHS domains – covering everything from GPs’ surgeries to sites that help people give up smoking or offer advice on breastfeeding.
However, because there’s no central body responsible for the security and maintenance of these sites, many are abandoned, making them easy prey for hackers.
The majority of these flaws are caused by outdated versions of WordPress.
# # #
FedRAMP Cloud Security Approval: Look Who Applied
- By Wyatt Kash
- InformationWeek Government
- March 4, 2014
FedRAMP (Federal Risk and Authorization Management Program), the program that helps agencies migrate to the cloud securely, is making public the names of cloud service providers that are in the process of obtaining the government’s security certification.
The information appears in a new FedRAMP resource section on the Federal CIO Council’s cloud.cio.govsite. FedRAMP.gov visitors were redirected to the site beginning last week. The new site provides a range of materials that agencies and cloud providers need to meet FedRAMP requirements.
The new FedRAMP site identifies, among other information, 10 previously undisclosed ”cloud systems in process” seeking FedRAMP certification for new or additional cloud infrastructure, platform, and software services. The site provides details on the services under review from CenturyLink Technology Solutions, Clear Government Solutions (CGS), Economic Systems, Fiberlink (a unit of IBM), Hewlett-Packard, Layered Tech Government Solutions, Microsoft, Oracle, SecureKey Technologies, and Virtustream. CA Technologies also is reportedly seeking FedRAMP certification.
FedRAMP has already certified 14 cloud services from 12 providers, including an Oracle PaaS offering approved on Feb. 24.