Monthly Archives: July 2014

Your travel records tell the government your IP, email, credit card, call center notes

What does the government know about your travel records via Passenger Name Records?

Have you ever been curious as to what information the government has stored about you and your travel records? A Passenger Name Record (PNR) is a computerized travel record created by airlines or travel agencies for both domestic and international flights, as well as hotel bookings, car rentals, cruises, and train trips. Your PNR, which is given to U.S. Customs and Border Protection (CBP) if you travel internationally, can include details like your un-redacted credit card number or IP addresses. As Ars Technica’s Cyrus Farivar found out, your PNR is just another example of the government’s “collect it all” mentality.

Farivar submitted a Freedom of Information Act request to CBP for his PNR; he was eventually given 76 pages of data covering his travel from 2005 to 2013. He said his PNRs included “every mailing address, email, and phone number” he ever used, as well as some PNRs listing the IP address he used when buying the ticket, his full credit card number stored in the clear, and notes jotted down by airline call center employees “even for something as minor as a seat change.”

After he consulted travel writer Edward Hasbrouck, Farivar was told, “PNRs like mine are created for domestic flights, too, but that it’s only for international travel that data is routinely given to CBP.” He also learned that every notation made by an airline call center employee, for things such as seat changes or even special needs requests, can stay in your permanent file kept by DHS.

Hasbrouck has written extensively about what’s in a PNR and about Computerized Reservation System databases.

If you make your hotel, car rental, cruise, tour, sightseeing, event, theme park, or theater ticket bookings through the same travel agency, Web site, or airline, they are added to the same PNR. So a PNR isn’t necessarily, or usually, created all at once: information from many different sources is gradually added to it through different channels over time.

When a ticket is issued, that is recorded in the PNR; if it’s an e-ticket, the actual “ticket”, as defined by the airline, is the electronic ticket record in the PNR. When you check-in, the claim check numbers and the weights of your bags are added to the PNR. If you don’t show up for a flight on which you are booked, that fact is logged in the PNR.

Any additions, changes, cancellations, seat assignment or special needs requests can also be added to the PNR. Hasbrouck explained, “The bottom line is that PNRs contain a great deal of confidential and sensitive information deserving of strong privacy protection, but not necessarily even the most basic information needed for positive identification or ‘profiling’ of travelers.”

The amount of personal and sensitive data collected in PNRs has been an area of concern for some privacy watchdogs, like EPIC. The PNR could include “the passenger’s full name, date of birth, home and work address, telephone number, email address, credit card details, IP address if booked online, as well as the names and personal information of emergency contacts.” A PNR could also contain “detailed information on patterns of association between travelers,” as well as sensitive information like “religious meal preferences and special service requests that describe details of physical and medical conditions (e.g., ‘Uses wheelchair, can control bowels and bladder’).”

Farivar found out that after booking a flight with Travelocity, the PNR included “a huge amount of information,” like his full credit card number. Storing credit card numbers in the clear is a breach of PCI data security standards (pdf).

“Why isn’t the government complying with even the most basic cybersecurity standards?” asked Fred Cate, a law professor at Indiana University. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”

Cate also told Farivar:

“No wonder the government can’t find needles in the haystack—it keeps storing irrelevant hay. Even if the data were fresh and properly secured, how is collecting all of this aiding in the fight against terrorism? This is a really important issue because it exposes a basic and common fallacy in the government’s thinking: that more data equates with better security. But that wasn’t true on 9/11, and it still isn’t true today. This suggests that US transportation security officials are inefficient, incompetent, on using the data for other, undisclosed purposes. None of those are very encouraging options.”

The government may not have wanted Farivar to see what his PNRs contained, as he had to appeal his FOIA request. But it’s not just PNRs with sensitive information that DHS/CBP can access. An investigation by the Toronto Star found that thousands of Canadians, who were never convicted of a crime, are listed in massive police databases that are accessible to U.S. border authorities. Toronto police had also been accused of “disclosing the mental health records it logs into Canada’s national police database,” and then sharing the sensitive medical records with U.S. border authorities, ultimately resulting in Canadians being blocked from entering the U.S.

CBP claims PNR data is kept for five years, but as Farivar found out after seeing nine years of his travel records, “We now live in a world where it’s increasingly difficult to prevent the authorities from capturing information on one’s movements or communications.” Indeed, it’s part of the “collect it all” mentality…just in case you – or someone you know or sat by during travel – might turn out to be a crook or terrorist.


Via:   networkworld

Boston Testing Solar-Powered Benches That Charge Smartphones

Boston solar bench

Continuing the trend toward nearly everything becoming smartphone-friendly — from ovens to boxing gloves — benches in the Boston area are getting a technology boost, too.

Some park dwellers in the region are already charging their mobile devices via solar-powered benches, which could eventually collect real-time data about its surrounding environment too (think air quality and noise levels).

Smart urban furniture company Soofa (developed by Changing Environments, an MIT Media Lab spin-off) is bringing more of its solar-powered benches to Boston and Cambridge, Mass. parks soon. The name Soofa stems from an acronym the company developed to describe a smart urban furniture appliance: SUFA. To give it more of a Silicon Valley feel, Richter switched the letter u to double o’s.

The company aims to make the bench a kind urban watercooler for people to meet and refuel their devices before continuing with their day.

“There isn’t too much knowledge or perception around renewable energy these days because people are removed from it — it’s either on the roof or set aside somewhere that you don’t see it,” co-founder Sandra Richter told Mashable. “We wanted to change the way people see its immediate benefits by putting something out into public spaces.”

boston power

President Obama is one of the first people to try out the smart bench. Also pictured: Soofa co-founder Sandra Richter.

Image: Soofa

Six benches are already installed at various locations in Boston, with four more scheduled to roll out in the coming weeks. The company has about 100 solar-power equipped benches ready to go, with plans to produce more to keep up with demand.

“It’s hard to get investors to back something that is a new market, but we’re already gotten so many requests from corporate campuses, education organizations, retailers and cities, from Tel Aviv to places in Italy, Germany and Hong Kong, so now we’re focused on how to scale quickly,” said Richter.

City benches vary in price — in some cases, parks have spent $10,000 on cast iron benches, while others are significantly cheaper. Addressing the cost issue, Richter said, “The smart benches will be on the pricier side because of the electronics, but we want it also to be affordable enough to encourage adoption.”



The project became a full business earlier this year, and later partnered with Verizon and Cisco to help get it off the ground, but urban charging isn’t entirely new. For example, Street Charge has charging stations in places like Central Park and throughout Amsterdam, offering city goers a place to juice up their smartphones while on the go. But, as Richter puts it, “why stand when you can sit?”

“It’s great that there is an effort from young designers to bring tech and design into the urban environment,” she added. “We’re looking at developing other urban fixtures that could be used in a smart city environment, too.”



Via: mashable

Amazon Officially Announces Kindle Unlimited, Offering Endless Reading And Listening For $9.99 A Month

Amazon officially announced that Kindle Unlimited, an all-you-can eat reading and listening service, that we first mentioned two days ago. Dubbed a “Netflix for books” by our own Darrell Etherington, the service offers over 600,000 books for free reading on Kindle and Kindle-enabled devices as well as thousands of audiobooks from Audible. Books include the Diary of a Wimpy Kid series, the Hunger Games Trilogy, and Flash Boys, as well as other bestsellers. It also includes access to Kindle-only exclusives as well as older titles from the company’s extensive catalog of older works including To The Lighthouse and Cat’s Cradle. Most interesting, however, is Whispersync for Voice which allows you to move from reading to listening without losing your place in the book. The service, at this point, appears unlimited and you can have as many books in your library as you wish. There is a new button in the book buying interface – “Read for Free” – but it is unclear how royalties are shared with authors.

The service is very similar to Amazon Prime Video, the all-you-can-watch video service. While there are a number of very visible best-sellers on the list, the majority of the content is niche content that may receive a new audience thanks to Unlimited. It is also surprising that the big five – the major publishers – are offering some of their best and most popular titles on the service. Clearly the revenue sharing proposition is interesting, especially considering you have a captive audience of intense readers who are willing to pay $10 a month for limitless ebooks. This is also bad news for services like Oyster. Once the Amazon juggernaut lands in your back yard, there’s little to stop them from rolling over smaller competitors. All said, this will definitely be an interesting step for indie authors looking for wider reach.

Introducing Kindle Unlimited: Unlimited Reading and Listening on Any Device—Just $9.99 a Month Read freely from over 600,000 books—available on Kindle devices, as well as free Kindle reading apps for iOS, Android and more. Listen to thousands of audiobooks from Audible, or switch easily between reading and listening with Whispersync for Voice. Enjoy best sellers including the Harry Potter series, The Hobbit and The Lord of the Rings trilogy, the Hunger Games trilogy, Diary of a Wimpy Kid books, and Flash Boys The most cost-effective way to enjoy audiobooks such as The Handmaid’s Tale, Life of Pi, and Capital in the Twenty-First Century Start a free 30-day trial today SEATTLE—July 18, 2014—(NASDAQ:AMZN)— today introduced Kindle Unlimited—a new subscription service which allows customers to freely read as much as they want from over 600,000 Kindle books, and listen as much as they want to thousands of Audible audiobooks, all for only $9.99 a month. Finding a great book is easy, and there are never any due dates—just look for the Kindle Unlimited logo on eligible titles and click “Read for Free.” Customers can choose from best sellers like The Hunger Games, Diary of a Wimpy Kid, and The Lord of the Rings, and with thousands of professionally narrated audiobooks from Audible, like The Handmaid’s Tale and Water for Elephants, the story can continue in the car or on the go. Kindle Unlimited subscribers also get the additional benefit of a complimentary three-month Audible membership, with access to the full selection of Audible titles. Kindle Unlimited is available starting today and is accessible from Kindle devices or with Amazon’s free Kindle reading apps. Start your free 30-day trial today at “With Kindle Unlimited, you won’t have to think twice before you try a new author or genre—you can just start reading and listening,” said Russ Grandinetti, Senior Vice President, Kindle. “In addition to offering over 600,000 eBooks, Kindle Unlimited is also by far the most cost-effective way to enjoy audiobooks and eBooks together. With thousands of Whispersync for Voice-enabled audiobooks to choose from, you can easily switch between reading and listening to a book, allowing the story to continue even when your eyes are busy. We hope you take advantage of the 30-day free trial and try it for yourself.” Kindle Unlimited features include: · Unlimited reading: Access over 600,000 books including best sellers like The Lord of the Rings trilogy, the Harry Potter series, Diary of a Wimpy Kid books, Flash Boys: A Wall Street Revolt, Water for Elephants, Oh Myyy! – There Goes The Internet, The 7 Habits of Highly Effective People, All the King’s Men, Wonder Boys, Ask for It, The Princess Bride, The 5 Love Languages: The Secret to Love that Lasts, The Atlantis Gene, Kitchen Confidential, The Sisterhood, Crazy Little Thing, The Blind Side, and The Giver, plus thousands of classics such as Animal Farm, To the Lighthouse, 2001: A Space Odyssey, Cat’s Cradle, and The Good Earth, as well as books featuring beloved children’s characters from Sesame Street, and useful reference titles including books from the For Dummies series and Lonely Planet travel guides. · Unlimited listening: Keep the story going with unlimited access to more than 2,000 audiobooks from Audible with Whispersync for Voice, and switch seamlessly between reading and listening to customer favorites like the Hunger Games trilogy, Life of Pi, The Handmaid’s Tale, Capital in the Twenty-First Century, The Great Santini, The Man Who Mistook His Wife for a Hat, Winter’s Tale, Boardwalk Empire, El Narco, Upstairs at the White House: My Life with the First Ladies, Merle’s Door: Lessons from a Freethinking Dog, The Finisher, Johnny Carson, The Stranger I Married, and Life Code. · Kindle exclusives: Choose from hundreds of thousands of books only found on Kindle, including Brilliance by Marcus Sakey, The Hangman’s Daughter series by Oliver Pötzsch, War Brides by Helen Bryan, Ed McBain’s 87th Precinct and Matthew Hope books, When I Found You by Catherine Ryan Hyde, Whiskey Sour by J.A. Konrath, Chasing Shadows by CJ Lyons, and Sick by Brett Battles. · Short Reads: For a quick escape, select from thousands of books that are 100 pages or less, including Kindle Singles from Stephen King, Andy Borowitz, and Nelson DeMille, and short fiction from Amazon Publishing’s StoryFront imprint. · Free three-month Audible membership: In addition to the thousands of professionally narrated audiobooks from Audible included in Kindle Unlimited, subscribers get a complimentary three-month Audible membership, with access to more than 150,000 titles. · Popular Kindle features: Enjoy all the great Kindle features customers love such as Whispersync, Popular Highlights, X-Ray, customer reviews, and Goodreads integration. · Read and listen everywhere: Access across Kindle devices and free Kindle reading apps for iPhone, iPad, Android tablets and phones, Windows Phone, BlackBerry, PC, Mac and Windows 8—so you always have your library with you and never lose your place. For more details on Kindle Unlimited, visit


Via: techcrunch

The GoTenna Will Let You Communicate Without Any Connectivity

By this point, most of us are fully addicted to our smartphones. And when we find ourselves without Wifi or data service, our most direct connection to everything becomes almost useless. That’s where GoTenna comes in.

The device is launching into pre-order today, and lets users create their own closed network on which they can communicate. Here’s how it works:

Let’s say you’re out in the woods camping with a big group. You keep one GoTenna in your bag or near your person and it connects to your phone via BluetoothLE. Since they’re sold in pairs, you can hand off the other GoTenna to someone else in the group, who also pairs it with their own smartphone.

Let’s say this group splits into two, and one is running late. Without ever connecting to a telephony network or Wifi, the GoTennas actually create their own closed network using low-frequency radio waves, offering users the ability to send messages and drop locations to each other.

Of course, messages and locations are sent through GoTenna’s own app that offers entirely offline maps and full messaging capabilities.

GoTenna users have the option to send private messages to a particular user or group of users, but there’s also a system in place for emergency situations.

Let’s say you’re in the middle of the East Coast devastation during Superstorm Sandy (which is where cofounders Daniela and Jorge Perdomo came up with the idea), and you’re hurt or lost. You can send a “shout” to all GoTennas within range that will alert all GoTenna users that you needs help.

Depending on location, GoTennas can actually create a fairly sizable network, with ranges up to 50 miles in some places. In the city, however, surrounded by rock and steel and concrete, the GoTenna can only communicate within a few mile radius.

Obviously, this can be used when you’re off the grid, at a festival or concert where there’s too much volume on the network, or traveling abroad.

According to the company, the GoTenna will last around 72 hours with intermittent use, and around 30 hours if it’s on 24/7. When turned off, it can hold a charge for more than a year.

The GoTenna is now available for pre-order in pairs for $149 ($75/each). This is a special pre-order discount as the company tries to reach its $50,000 goal, but after discounted units sell out, the price will jump to $299 per pair.

Check out the GoTenna here.



via: techcrunch

Google recruits top PS3 hacker for Project Zero

George Hotz, best known for hacking Sony’s PS3 and the iPhone, has been snapped up for Google’s vulnerability research team Project Zero.

Google has hired a prolific hacker by the name of George Hotz to join the Project Zero team. Hotz is well-known for hacking Sony’s PlayStation 3 and Apple’s iPhone.

The 24-year-old — also known as geohot — hacked into the PlayStation 3 in order to install alternate operating system software, with the intention of playing pirated games. Hotz was then subsequently sued by Sony, although the matter was settled outside the courtroom. The hacker is also known for unlocking Apple’s iPhone. Now, after a brief stint at Facebook several years ago, Hotz has found a home with Google, according to the BBC.

Google’s Project Zero aims to reduce the threat that zero-day attacks represent by funding vulnerability research and hiring top security specialists and hackers. The hire of Hotz, therefore, is hardly a surprise — as these types of projects need people that can think like cyberattackers, as well as be talented in their own right, in order to thwart them.

Project Zero is currently hiring, although it does not say how people are recruited. Members of the team will seek out vulnerabilities in systems where “large numbers of people” are dependent on services, and in addition, will research “mitigations, exploitation, program analysis — and anything else that our researchers decide is a worthwhile investment,” according to Chris Evans, “Researcher Herder” at Google.

Google will publish a public database of vulnerabilities found, as well as how long it takes companies to react to bug reports and fix the problem.

This is far from the tech giant’s first foray into security, as the firm already has a bug bounty program for its own products, and Google staff are known for reporting vulnerabilities to other firms, including Microsoft and Apple.

Dr. Mike Lloyd, CTO at RedSeal Networks told ZDNet:

Google’s move to set up Project Zero is very welcome. The infrastructure we run our businesses and our lives on is showing its fragile nature as each new, successful attack is disclosed. Unfortunately, we all share significant risks, not least because IT tends towards ‘monoculture,’ with only a few major pieces of hardware and software being used most of the time.

Organizations use the common equipment because it’s cheaper, because it’s better understood by staff, and because we all tend to do what we see our neighbors doing. These upsides come at a cost, though — it means attackers can find a single defect, and it can open thousands or even millions of doors, as we recently saw with Heartbleed.


Via: zdnet

Google sets up cybercrime-busting task force

After unearthing the Heartbleed flaw, Google sets up a research group dedicated to finding vulnerabilities in Web software.

Google has set up an internal task force that will work to expose the activities and techniques of malicious Internet wrongdoers, aiming to cut down on the number of targeted cyberattacks. “You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” wrote Chris Evans, a Google security researcher, in a blog post Tuesday announcing the initiative, called Project Zero. “Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”

Earlier this year, a Google researcher unearthed Heartbleed, a serious flaw in the OpenSSL cryptographic library that left millions of websites open to attack.

Google plans to fund more of the kind of research that unearthed Heartbleed. The company has assembled a staff of researchers for Project Zero and plans to hire additional security experts who will be dedicated full time to the project.

“Our objective is to significantly reduce the number of people harmed by targeted attacks,” Evans wrote.

The Project Zero team will investigate what techniques and technologies cybercriminals use. In addition, the researchers will investigate ways of shielding users from attacks, through techniques such as analyzing programs to pinpoint weaknesses.

One activity the group will undertake is searching for new bugs in software. Software flaws can be used by malicious attackers to gain illicit entry to a computer system. A zero-day vulnerability is one that is exploited by cybercriminals on the same day it is made public. In these cases, the maintainers of the software must scramble to ship a fix as soon as possible.

Project Zero will build an external database of all the bugs its researchers find and submit results to the companies or other parties that maintain the software.

Google is not alone in its efforts to build an Internet security response team. Hewlett-Packard’s TippingPoint also collects information on software vulnerabilities. The U.S. Department of Homeland Security maintains the Common Vulnerability Scoring System, a widely used database for tracking vulnerabilities and assessing their potential severity.


Via: csoonline

Microsoft layoffs of 18,000 employees begin

Microsoft is cutting 18,000 jobs, including 12,500 associated with the Nokia handset and services business it acquired earlier this year.

Microsoft is eliminating 18,000 jobs over the next year, including about 12,500 associated with the Nokia Devices and Services team it acquired earlier this year, company officials announced on July 17.

Microsoft also announced today that the company will incur pre-tax charges of $1.1 billion to $1.6 billion for severance and related benefits costs and asset related charges over the next four quarters.

The cuts will begin with a first wave of 13,000, with the vast majority of employees whose jobs will be eliminated being notified over the next six months, according to a memo from CEO Satya Nadella.

Those Nokia jobs that are being eliminated will include both professionals and factory workers.

Reports about Microsoft management’s plans to cut jobs as part of an effort to reduce redundancies and eliminate some engineers who aren’t developers have been circulating for the past month and intensifying in the past week. A July 9 memo about Microsoft’s fiscal 2015 priorities from CEO Satya Nadella hinted about changes that might occur as a result of new priorities and corporate realignment. Nadella declined to comment on layoff plans when asked by reporters who were allowed to speak with him last week about his memo, however.

This week’s layoffs are expected to hit almost all groups across the nearly 130,000-person company across the world and to include not only the aforementioned engineers who aren’t developers, but also a number of employees in sales and marketing in many groups, according to my and other reporters’ sources.

Microsoft officials planned to start to notify those in the US who are affected on July 17. A company-wide town meeting about the layoffs is scheduled for Friday, July 18.

Few, if any, entire product groups or teams are expected to be eliminated completely in the current layoff scheme, according to my sources. However, I am hearing that Microsoft is evolving the team that has been working on the Android-based Nokia X phones to drop Android and refocus on the Windows Phone OS. Update: Microsoft is confirming this is the plan, noting that current Nokia X phones will continue to be supported.

Microsoft is set to announce its fourth-quarter fiscal 2014 earnings next week, on Tuesday, July 22. (The announcement is on Tuesday rather than Microsoft’s customary Thursday reporting date due to a scheduling conflict with CEO Nadella, who is speaking at MGX, Microsoft’s global sales conference next Thursday in Atlanta.)

Microsoft’s last major round of layoffs occured in 2009, when management eliminated 5,800 positions over the course of two-plus rounds. Then-CEO Steve Ballmer attributed the cuts in 2009 to a “response to the global economic downturn.”


Via: zdnet

Microsoft’s latest Azure moves shows it’s all-in with the cloud

IT is moving away from its on-premises comfort zone, and Microsoft is pushing IT along.

Still think this cloud thing is going away? Sorry. In fact, it keeps growing bigger and bigger. In the past week, Microsoft has made announcements regarding new versions of Azure and new ways to deliver Azure. Let’s take a look at what’s new or on the horizon.

Microsoft Azure StorSimple
Available as of Aug. 11, the StorSimple 8000-series hybrid arrays connect to your on-premises environment through iSCSI and to your Azure storage through the Internet. You get SSD and hard drive storage tiers, plus a cloud layer storage tier.

The StorSimple Virtual Appliance that runs as a virtual machine in Azure can connect with Windows Server and Hyper-V, as well as on-premises Linux and VMware servers. That will make disaster recovery in the cloud easier, with VMs stored on the StorSimple Array restarted in Azure as necessary via the Instant Recovery feature.

Azure Machine Learning
Microsoft calls AML (Azure Machine Learning) a “fully managed service in the cloud that allows you to publish advanced analytic Web services in minutes and build enterprise-grade applications.” Its use cases are as diverse as can be.

For example, Pier 1 Imports uses AML to predict what customers may want to buy next. Neal Analytics is using AML to help companies more intelligently buy search terms that drive people to their sites. OSIsoft uses AML help Carnegie Mellon University conserve energy by predicting energy consumption and detect faults.

The art of prediction in any situation may seem as impossible as determining the weather. However, technology has certainly improved in predicting weather, so it’s credible that AML may improve enterprise predictions.

Knowing that AML might be hard to get started with, Microsoft has opened its online Machine Learning University, which provides how-to guides, access to training events, and “walkthroughs of the data science life cycle from importing and cleaning data to building predictive models and deploying them as production Web services.”

Azure Certified Program
The new Azure Certified Program will let vendors and other developers sell their cloud applications and services through the Azure app store ecosystem (basically, an enterprise app store). Initially, the program is focused on Azure-certified virtual machines that admins can deploy directly through the Azure Management portal. Early program members include SAP, Oracle, Azul Systems, Bitnami, Riverbed Technologies, and Barracuda.

Azure partner programs
Although the cloud is geared toward self-service, the complexity of systems that use Azure can often require specialty help. That means the same kinds of resellers and consultants who’ve long helped IT with on-premises deployments have a role to play with Azure as well.

Microsoft’s Cloud Solution Provider program is aimed at helping such providers gain more control over the customer process (billing, provisioning, and support). The release of Azure next month in Microsoft’s Open Licensing program should also help such deployment partners grow their business on the Azure side.

The on-premises world we feel safe in as IT administrators is going bye-bye. But our roles are not going away; they are simply changing as the cloud becones part of our infrastructure. Microsoft clearly believes that, and its deepening of Azure’s offerings shows that belief is strong.


Via: infoworld

CNET website and 1 million passwords compromised by Russian hacker group

CNET, the popular tech news and reviews website, was compromised over the weekend by Russian hackers called “W0rm,” CNET’s parent company, CBS Interactive, confirmed yesterday.

Someone using the Twitter handle @rev_priv8 tweeted a screenshot on 12 July which appeared to show contents of the CNET database:

They then followed up with a tweet on 14 July:

#cnet i have good protection system for u ping me

A CBS Interactive spokeswoman confirmed that “a few servers were accessed” by the intruder.

CNET said the hacker or hackers stole 1 million emails, usernames and encrypted passwords.

The hackers gained access to the user database via a security hole in CNET’s implementation of the Symfony PHP framework – the “skeleton” on top of which CNET’s website is built.

The spokesperson continued:

We identified the issue and resolved it a few days ago. We will continue to monitor [the situation].

CNET reports that W0rm tweeted on Monday that it will sell the database for 1 bitcoin – around $622 – but that a W0rm representative told them through a Twitter conversation that the group offered to sell the database to gain attention and “nothing more”, and had no plans to decrypt the passwords or to complete the sale of the database.

But do we really want to trust hackers who take illegal steps to raise security awareness?

CNET’s article says “readers might not be at risk.”

Good to know, CNET – but it’s worth being extra cautious in a situation like this.

It should go without saying that registered users of CNET’s website should change their CNET passwords and those on any other sites for which they use the same password (but no-one still does that, do they?).


Via: sophos

CISOs still grappling with security awareness training

A study of some of the UK’s top chief information security officers (CISOs) has revealed that just 21 percent are conducting security awareness training on a regular basis.

In the ClubCISO Realtime Maturity Survey 2014, 50 senior executives “with responsibility for their organisations’ information security” were profiled for their thoughts on everything from reporting lines and breach response to cloud and BYOD adoption, as well as third-party relationships.

But it was on the topic of security awareness training where the results were most concerning, with 21 percent of CISOs saying that they had ‘never’ given training and a further 21 percent indicating that they only provided this when new staff joined the company.

A respectable 37 percent said that they carried out training on an annual basis and another 21 percent agreed that this was carried out “frequently, as updates are required”.

“Security awareness training for employees raised security concerns. One-fifth of staff never receive training, and doubts were raised about the quality and effectiveness of the training that was actually given,” reads the report.

“As for measuring effectiveness, participants had concerns particularly about online testing,” the report added, noting uncertainties around how learning is enforced and if the training even took place. As one example, one CISO apparently said: “I know of an example where an executive paid his daughter to do the test for him.”

More than half (52 percent) of the surveyed CISOs admitted that their security awareness training programmes had ‘no measure of effectiveness’, while 24 percent said that they relied on online testing. A further 14 percent said that they had an after-training test, while a well-prepared 10 percent professed to measuring incident and support call volumes before and after the training.

At a dinner in central London last week to discuss the findings, one CISO, who wished to remain anonymous, told how such training was a big topic of conversation at his telecommunications company.

“I think people are not aware what they’re doing in your environment…users are not conscious about security,” he said.

David Prince, cyber security director at reputation defence firm Schillings, reinforced this view and urged companies to seek out ‘more creative ways’ to educate people on their security responsibilities.

“People should be the first line of defence but in reality, they can be the main causes of vulnerability,” said Prince, who added that Schillings has taken to leaving USB keys around and drafting phishing emails to trick people to improve their awareness.

Other CISOs said that the key with training is to relate security to ‘personal circumstance’.

And with 58 percent of CISOs doing training sporadically – either on joining a company or just once a year – Prince said that companies need to move to a more continued deployment. “It is a programme that doesn’t end.”

One area for contention has been whether security awareness training is best initiated ‘bottom-up‘ from the lower rungs of the organisation, or starting from the boardroom with a ‘top-down‘ approach. Prince said that companies must ‘burn the candles from both ends’ but suggested that some companies may be especially concerned with the senior executives that ‘don’t get cyber security’.

Phil Cracknell, head of security and privacy at independent IT consultancy Company85 – which coordinated the study – stressed that, regardless of how such training starts, there needs to be a continued effort even starting from a very young age.

“We need to saturate this for a couple of years…we need to get this into schools,” said Cracknell


Via: scmagazineuk