Monthly Archives: February 2015

Protect Your Smartphone From Government Spies With These Apps

If you didn’t know how easy it was for hackers to grab information off of your smartphone before, you should now.

The Intercept reported earlier this week that the National Security Agency (NSA) and the British equivalent spy agency GCHQ had allegedly hacked into and stole information from millions of SIM cards produced by the Dutch company Gemalto. This may have given both agencies access to phone communications around the world and should serve as a warning to all that we need to protect our smartphones.

The good news is that the technology already exists to protect your text and phone messaging data. “Encrypted text messaging and phone systems are so easy to protect that we all have an obligation to secure ourselves,” American Civil Liberties Union senior policy analyst Chirs Soghoian told TechCrunch over the phone.

Soghoian believes it would be irresponsible to tell people the government might be hacking into their private information and then not give them the tools to protect themselves. So he hopped on the phone with me to go through some of the free tools we already have at our fingertips to protect our private information.

Apple doesn’t market iMessage or FaceTime this way, but according to Soghoian, both are very secure means of sending information. “FaceTime is portrayed as a tool to talk to your kids at night before they go to bed, but it’s actually pretty secure for audio and video use,” he says. The other Apple product Soghoian recommends is iMessage. “Apple encrypts the iPhone to iPhone messaging to the point where it can’t un-encrypt the data. So even if the government wanted that information and demanded it from Apple, Apple doesn’t have it,” he says.

Apple supported Soghoian’s recommendations and confirmed with TechCrunch that it has built-in privacy and security measures on both FaceTime and iMessage, but also iCloud data.

Soghoian recommended WhatsApp as an alternative secure texting platform for those with Android phones, but said the same security measures did not exist on WhatsApp for iPhones (we have reached out to but not confirmed this with WhatsApp). “[WhatsApp] isn’t perfect, but it’s about 90 percent there,” he says.

The senior policy analyst wasn’t very positive on most of the other technology tools out there, but Signal was an app that stood out for him. This is an open-source, secure text messaging system that was developed on tax payer dollars and built on the Open Whisper Systems, the same system that was used for the Android app technology behind WhatsApp.

Signal, also known as TextSecure on Android, is a free app and one of the few that works across platforms. It is also, in Soghoian’s opinion, easy to navigate and the most secure. When Signal is used with an app called RedPhone it can also encrypt your phone calls from end-to-end. RedPhone works the same way with TextSecure.

But even with greater encryption, nothing is 100 percent secure. “If someone wants to target you, be it the NSA or your boyfriend they can hack into your device,” Soghoian says.

The idea isn’t to rely on one app to encrypt all data and call it good, but to know the risks, not put things on any device you don’t want getting out somehow, and to make it a lot harder for hackers to get your information. For Soghoian, the point is to make it too difficult for the government to hack into the wide swath of readily available information of innocent civilians and instead focus its energy on the bad guys.

“These tools aren’t bullet proof but they are a million times more secure than what the phone company offers,” Soghoian says.

 

 

Via: techcrunch

In historic vote, FCC approves strong net neutrality rules

In a 3-2 vote, the Federal Communications Commission (FCC) approved new net neutrality rules on Thursday, providing a landmark decision on internet regulation.

Under the new rules, internet service providers (ISPs), like Verizon and AT&T, are prohibited from “paid prioritization,” meaning facilitating internet “fast lanes.” Broadband providers are also banned from throttling or blocking access to legal content (or websites), applications, services or “non-harmful devices,” a Tuesday FCC release explained.

The move supports three principles: that “America’s broadband networks must be fast, fair and open,” the agency said, and marks a historic decision to regulate internet service as a public utility.

“Today, the Commission – once and for all – enacts strong, sustainable rules, grounded in multiple sources of legal authority, to ensure that Americans reap the economic, social and civic benefits of an Open Internet today and into the future,” the FCC said.

 

Via: scmagazine

Top 10 breaches of 2014 attacked ‘old vulnerabilities’

A report by HP has found that 44 percent of known breaches in 2014 were caused by vulnerabilities, between two and four years old.

In fact, The Cyber Risk Report 2015 highlights that every one of the top 10 vulnerabilities exploited in the year just gone took advantage of code that was years – and in some cases decades – old, suggesting that for hackers, known ‘tried and tested’ exploits remain the low-hanging fruit.

Art Gilliland, senior vice president and general manager of Enterprise Security products at HP told Tech Europe, “Many of the biggest security risks are issues we’ve known about for decades, leaving organizations unnecessarily exposed.”

“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk.”

IT Pro Portal notes that the majority of exploits are “defect, bugs and logic flaws,” but adds the main weaknesses all stem from a small number of software programing errors, meaning that old and new vulnerabilities are surprisingly easy to find for hackers.

Server misconfiguration was the number one vulnerability, beating out privacy and cookie security issues, frequently giving hackers access to files, leaving organizations open to damaging attacks.

Personal connected devices were also seen to cause security issues, with the quantities of mobile malware found increasing over the year. The report also mentioned now familiar warnings about the security of Internet of Things connected devices.

The Register summarizes the overall recommendations of the reports as employing “a well-thought-out patching strategy, regular penetration testing, layered security defenses, threat intelligence sharing and a strategy for introducing new technologies.”

 

Via: welivesecurity

Target Says Credit Card Data Breach Cost It $162M In 2013-14

When it comes to data breaches, retailers are one of the biggest targets these days, and today we have some detail on the costs around one of the more high-profile attacks. Target today said that it has booked $162 million in expenses across 2013 and 2014 related to its data breach, in which hackers broke into the company’s network to access credit card information and other customer data, affecting some 70 million customers.

The figure, revealed in the company’s Q4 earnings published today, includes $4 million in Q4, and $191 million in gross expenses for 2014, as well as $61 million gross for 2013. Target says that the gross number was offset in part by insurance receivables of $46 million for 2014 and $44 million for 2013.

This is also not including whatever expenses Target may incur as a result of class action lawsuits filed after the breach, or wider damage to its reputation with customers. In January, a federal judge gave plaintiffs the nod to proceed with their class action case against the company.

Overall Target posted revenues of $21.8 billion, beating analyst estimates, and adjusted earnings per share of $1.50, beating its guidance. The company also recorded a pre-tax loss of $5.1 billion related to the company pulling out of operating in Canada. In pre-market trading, the company’s shares were up a little over 1% to $77.85 per share.

A report published yesterday by security firm FireEye noted that retailers saw the biggest spike in breaches in 2014, and that on average it still takes more than 200 days for companies to detect that they are being hacked. Target said it took the company 12 days to identify what was going on.

The breaches of companies like Target, as well as more recent examples from Anthem and Sony, have such direct consumer ramifications that it is changing the conversation around how seriously companies take security, which has moved from being solely an IT issue into one that reaches the highest executive levels of the company. “Before [the recent spate of breaches], “It was ya I get it security, blah, blah, but I don’t have outrun the bear, I just have to outrun you,'” says David Cowan, a partner at Bessemer Venture Partners. “Now you have to outrun the bear. It is coming after you.”

For Target, that resulted in the company appointing its first outsider CEO, Brian Cornell, in July last year, after Gregg Steinhafel stepped down, along with other executives.

 

Via: techcrunch

Anthem breach by the numbers – State breakdowns

While a whopping 78.8 million consumers may have had personal information viewed by “hackers who had accessed our database,” an Anthem spokesperson confirmed in a statement emailed to SCMagazine.com on Thursday, about 60 to 70 million individuals are current or former Anthem members.

The remainder consists of current and former non-Anthem Blue Cross Blue Shield members “who used their Blue Cross and Blue Shield insurance in a state where Anthem operates over the last [ten] years.”

Here’s a tally, broken down by state, of the number of people affected, based on recent reports:

  • Arkansas: About 39,000, according to Talk Business & Politics.
  • California: About 13.5 million, according to the Los Angeles Times.
  • Connecticut: 1,716,436, according to a release from Connecticut Attorney General George Jepsen.
  • Hawaii: About 18,000 Hawaii Medical Service Association (HSMA) members, according to a release from the Hawaii Department of Commerce and Consumer Affairs.
  • Illinois: About 215,000, according to the Chicago Tribune.
  • Kansas: 389,432, according to a release from Kansas Commissioner of Insurance Ken Selzer.
  • Louisiana: About 277,000, according to The Acadiana Advocate.
  • Maine: About 531,000, according to The Boston Globe.
  • Massachusetts: About 967,000, according to The Boston Globe.
  • Minnesota: More than 300,000 – about 206,800 could have Social Security numbers at risk, and an additional 106,800 had other data compromised, according to a release from the Minnesota Department of Commerce.
  • Missouri: More than two million, according to a release from the Missouri Department of Insurance, Financial Institutions & Professional Registration.
  • New Hampshire: About 667,866, according to New Hampshire Union Leader.
  • New Mexico: About 11,600 Blue Cross and Blue Shield of New Mexico members, according to Albuquerque Business First.
  • North Carolina: 775,606, according to The Charlotte Observer.
  • North Dakota: More than 27,000, according to a release from the North Dakota Insurance Department.
  • Pennsylvania: About 750,000, according to the Pittsburgh Post-Gazette.
  • Rhode Island: Nearly 80,000, according to NBC 10 News.
  • Vermont: More than 71,000, according to a Blue Cross Blue Shield of Vermont release.
  • Virginia: About 3.77 million, according to a release from Virginia Attorney General Mark Herring.

The Anthem spokesperson said in the statement that an investigation is ongoing. SCMagazine.com will continue to update this list as new state figures are made available.

 

 

Via: scmagazine

Several vulnerabilities, some critical, addressed in Firefox 36

Firefox 36 was released on Tuesday and a number of vulnerabilities have been addressed, including a few that are deemed critical.

A buffer overflow in ‘libstagefright’ during MP4 video playback was considered critical because it could lead to a potentially exploitable crash, and a use-after-free in IndexedDB was also deemed critical because it, too, could lead to a potentially exploitable crash, according to a post.

Mozilla also addressed several critical memory safety bugs that, under certain circumstances, could be exploited to run arbitrary code, the post noted.

The remaining vulnerabilities are considered to be high, moderate, or low in impact. Some of the high impact bugs include a buffer underflow during MP3 playback, an out-of-bounds read and write while rendering SVG content, and a double-free when using non-default memory allocators with a zero-length XHR.

 

 

 

Via: scmagazine

Google steps up its BYOD game; looks to secure more than a billion mobile devices

Today’s security enhancement is brought to you by the word fragmentation and the number 1 billion.

On Wednesday, Google officially launched Android for Work, which was announced last June at its I/O conference. The aim is to offer businesses a stopgap that addresses BYOD needs, including secured access to sensitive data and OS fragmentation.

There are more than a billion people using an Android device right now, and a good portion of them are on the corporate network somewhere in the world. Each day these employees manage their workloads on the same device they use for social media, dating, and entertainment.

It’s a tricky proposition for IT mangers and security professionals. Do they ban all personal devices or allow employees to use whatever they want (e.g. BYOD) with the hope that they can manage them efficiently?

Google’s offering isn’t exactly new; but it’s an untapped market for the search giant. There are dozens of firms that offer some level of MDM (Mobile Device Management), but each offering has its limits. In some cases, existing MDM solutions have problems keeping up with the market and the influx of new devices and OS capabilities.

The biggest problem with Android though is fragmentation. Things aren’t as bad as they used to be, but carriers still don’t do much when it comes to delivering security or general improvement updates. They’d rather sell a new device entirely, leaving millions of devices exposed to critical security flaws or buggy features that will never get fixed.

Google’s plan is to fix these fragmentation gaps, especially when it comes to security. Android for Work will give layered security to devices that have none, while enhancing the existing security on devices running the latest Android release.

In fact, Android’s latest release (Lollipop) has the Android for Work features built-in, while older releases can simply download an app from Google Play.

Devices running Android for Work profiles are split, so the employee can access work documents, email, and other essentials in a contained environment that the company manages remotely. All Android for Work apps are pre-approved by IT (controlled by policy) and can be updated on the fly as needed.

Android for Work requires an EMM (Enterprise Mobility Management) solution in order to tap all of its features, making implementation a little bit easier depending on who your EMM vendor is. Right now, Google is working with several vendors in the EMM space including MobileIron, BlackBerry, AirWatch, Citrix, and MaaS360.

All of the major handset manufactures are on board with Android for Work as well, including Huawei, Samsung, Motorola, Sony, HTC, Dell, HP, and LG.

Salesforce, Adobe, Box, and SAP have applications that are ready to launch, and VPN offerings from Cisco, F5, and Palo Alto are ready for release too.

Keeping with their promise from I/O, Google is offering email and calendar apps, as well as office tools such as Docs and Spreadsheets to Android for Work users, which can be customized for each organization.

While Google originally said that Android for Work would leverage technology from Samsung’s KNOX – and the general outline of how Android for Work operates is similar – the final product is pure Google.

However, the company said that manufacturers are free to develop on top of Android for Work if they choose, leaving room for improvements in the future.

MobileIron has a good write-up on the security considerations for Android at Work if you’re interested in some additional reading.

Most other EMM vendors are hosting events offering additional details in how their products tie into Google’s latest release, but for those already dealing with BYOD on a regular basis Android for Work isn’t going to be a complex offering to enable.

 

 

Via: csoonline

Chrome users better protected against sites containing ‘unwanted software’

Chrome users now have additional protections against websites containing “unwanted software,” according to a Monday post.

Users will be met with a warning when navigating to a website that “encourages downloads of unwanted software,” the post states. Furthermore, signals to identify “deceptive sites” have been incorporated into Google Search, so there is less chance of navigating to such websites via search results.

Additionally, Google ads directing to websites with unwanted software will be disabled, the post notes.

“If you’re a site owner, we recommend that you register your site with Google Webmaster Tools,” Lucas Ballard, software engineer with Google, wrote in the post. “This will help you stay informed when we find something on your site that leads people to download unwanted software, and will provide you with helpful tips to resolve such issues.”

 

Via: scmagazine

Anthem: 78.8 million affected, FBI close to naming suspect

Insurer says millions of non-customers are impacted too.

On Tuesday, Anthem, the nation’s second largest health insurer, said that 8.8 to 18.8 million people who were not customers could be impacted by their recent data breach, which at last count is presumed to affect some 78.8 million people. This latest count now includes customers of independent Blue Cross Blue Shield (BCBS) plans in several states.

In a statement, Anthem said that the breach affects current and former customers of dating back to 2004.

“This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore, and Unicare. Additionally customers of Blue Cross and Blue Shield companies who used their Blue Cross and Blue Shield insurance in one of fourteen states where Anthem, Inc. operates may be impacted and are also eligible: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, and Wisconsin,” the company explained.

On December 10, 2014, someone compromised a database owned by Anthem Inc. The compromise was discovered on January 27, 2015, by a database administrator who noticed his credentials being used to run a query that he didn’t initiate. Anthem disclosed the breach to the public on February 4.

In statements to the Associated Press, Anthem confirmed previous reports published by Salted Hash, and added to those details with the news that credentials from at least five different employees were compromised during the incident. Speculating, investigators believe that the employees fell for a Phishing attack.

The company said that attackers were able to obtain “personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”

The same week Anthem disclosed their breach, criminals jumped on the news and launched a Phishing campaign using current events and fear as a lure, reminding potential victims that they’d be contacted via the US Postal Service, and not by email or phone.

According to Modern Healthcare, are more than 50 class-action lawsuits have been filed since Anthem announced their breach. The potential legal liabilities could impact insurance plans nationwide, as the insurers find themselves legally responsible for the breach under HIPAA.

Shortly after Anthem announced updated impact numbers, the FBI said they were close to naming the attacker behind the Anthem breach. The comments were made during a roundtable discussion with reporters.

“We’re close already,” said Robert Anderson, who heads the FBI’s Criminal, Cyber, Response, and Services Branch.

“But we’re not going to say it until we’re absolutely sure,” Anderson remarked, adding – “I don’t know if it’s China or not, by the way.”

 

Via: csoonline

Faulty Norton security update leads to Internet Explorer crash

Users of a number Norton and Symantec security products may have had issues on Friday with 32-bit versions of Internet Explorer following a recent security update by the company.

According to multiple customer complaints on Symantec’s support forum, those who attempted to access the popular internet browser were met with a troublesome message: Internet Explorer Has Stopped Working.

Users with products installed, such as Norton 360, Norton Internet Security, Norton Security, Norton Security with Backup, Symantec Endpoint Protection 12.1, Symantec Endpoint Protection Small Business Edition 12.1 were impacted.

A support note was filed on Saturday by Symantec, instructing users to run LiveUpdate manually in order to address the issue.

 

Via: scmagazine