Monthly Archives: February 2015

Look what security alert showed up today:

National Center for Charitable Statistics, Urban Institute

SECURITY ALERT:

Unauthorized parties have gained access to Form 990 Online.

If you are a user of this site, we encourage you to change your password immediately. Please go here for details and answers to Frequently Asked Questions.

Email seen:

February 24, 2015

To Users of 990 and ePostcard (990-N):

The Urban Institute’s National Center for Charitable Statistics (NCCS) recently discovered that an unauthorized party or parties have accessed the Form 990 Online and e-Postcard filing systems for nonprofit organizations. This unauthorized access affected nonprofit users of IRS Forms 990, 990-EZ, and 990-N (e-Postcard). In addition, it affected users of Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

We regret to inform you that the username, first and last name, email address, IP address, phone number, and password associated with your nonprofit organization were compromised in this incident.

Once we discovered the attack, we contacted the IRS and made every effort to secure the systems and user accounts. We are working with law enforcement agencies as they conduct an investigation. In addition, we have retained a leading cybersecurity firm to help us analyze the situation and strengthen security.

Currently we believe no information from the filings themselves was compromised. These forms do not contain Social Security numbers, credit card data, or individual tax filer information, so such sensitive information was not available to the hackers. Copies of the 990 returns, including the e-Postcard, are public documents that are released by the IRS.

If you use the same password for your organization’s Form 990 Online and e-Postcard that you do for other websites or applications, we strongly encourage you to change it immediately in each of those instances, as well as on these systems.

To change your password on the Form 990, click here.

To change your password on the e-Postcard, click here.

To enhance security, all users accessing the Form 990 Online and e-Postcard systems are required to change their passwords upon logging in, or were when they logged in most recently. We encourage you to be alert for unusual or suspicious emails and use caution when clicking on links or opening attachments from unknown senders.   

We sincerely apologize for this disruption and any inconvenience this incident may cause you. We have a strong commitment to privacy and data security, and we are continuing to do everything we can to protect against future attacks. Our investigation is ongoing, and we will let you know if it reveals new information that is relevant to your account.

If you have any questions, please visit our FAQ where you can obtain further information. While you can’t reply directly to this email, you can email us at security@form990.org or call 1-800-564-9110 if you have more questions.

Sincerely,

Elizabeth T. Boris

Director, Center on Nonprofits and Philanthropy at the Urban Institute 

Via: form990.org

Four months ago, Twitter sued the Justice Department for severely limiting the scope of information that companies could share on government data requests known as national security letters (NSLs) – and now, tech companies along with major media organizations are taking a stand to support Twitter’s complaints.

 National Public Radio (NPR), The Washington Post, Guardian News & Media (the publisher of The Guardian), BuzzFeed, and PEN American Center filed a statement of amici interest (PDF) on the matter, offering their opinion as friends of the court interested in the “proper resolution” of the case, the document said. That day, in a separate brief of amici curiae (PDF) two unnamed corporations also filed their opinions on the Twitter case in a federal California court, challenging government gag orders that often forbid companies from notifying the public about NSLs.

The Electronic Frontier Foundation (EFF), which is representing the anonymous companies, announced that the firms – a telecom and internet company – wish to share their identities as well as release the “details of their fights against NSLs.” But ongoing legal proceedings have made it necessary for the organizations to remain unidentified.

In court documents, the telecom company is described as a “provider of long distance and mobile phone services,” that filed its own challenge to an NSL from the FBI back in 2011. The unnamed internet company filed a similar petition in 2013 regarding two NSLs from the FBI “and the nondisclosure requirements imposed in connection therewith,” the documents said, referencing gag orders that companies (including Twitter) deem “unconstitutional” for violating First Amendment rights.

In the brief, the internet company and mobile service provider also requested that the Court deny the government’s motion, filed in January, to dismiss the bulk of the Twitter lawsuit.

In January 2014, the Justice Department, in a letter, relaxed restrictions on disclosing government data request, after a number of companies complained, but later in the year blocked Twitter from releasing a transparency report because it said the report did not meet the newly established standards and contained classified information.

Privacy rights group EFF explained in its Tuesday release that highly secretive NSL demands, and many details surrounding them, are often kept confidential in the so-called interest of national security.

“The government continued to maintain that even identifying EFF’s clients as having received an NSL might endanger national security,” EFF said.

On March 31, the next oral arguments in Twitter v. Eric Holder are scheduled to take place before District Judge Yvonne Gonzalez Rogers in Oakland, Calif.

Via: scmagazine

iPhone 5 Battery Replacement Program

Apple has determined that a very small percentage of iPhone 5 devices may suddenly experience shorter battery life or need to be charged more frequently. The affected iPhone 5 devices were sold between September 2012 and January 2013 and fall within a limited serial number range.

If your iPhone 5 is experiencing these symptoms and meets the eligibility requirements noted below, Apple will replace your iPhone 5 battery, free of charge.

Eligibility

If your iPhone is in working order and exhibits the symptoms noted above, use the serial number checker here to see if it is eligible for this program.

Replacement process

Choose one of the service options below to have your battery replaced. Your iPhone will be examined prior to any service to verify that it is eligible for this program and in working order.

Please call your service provider to confirm that battery replacement service is available on the day you visit them.

• Apple Authorized Service Provider – Find one here.
• Apple Retail Store – Make an appointment here.
• Apple Technical Support – Contact us.

To prepare your iPhone 5 for the battery replacement process, please follow the steps below:

• Back up your data to iTunes or iCloud
• Turn off Find my iPhone
• Erase data and settings in Settings > General > Reset > Erase all Content and Settings

Note: If your iPhone 5 has any damage such as a cracked screen which impairs the replacement of the battery, that issue will need to be resolved prior to the battery replacement. In some cases, there may be a cost associated with the repair.

Additional Information

Apple may restrict or limit repair to the original country of purchase.

If you believe your iPhone 5 was affected by this issue, and you paid to replace your battery, you can contact Apple about a refund.

This worldwide Apple program doesn’t extend the standard warranty coverage of the iPhone 5. The program covers affected iPhone 5 batteries for two years after the first retail sale of the unit or until March 1, 2015, whichever provides longer coverage.

Via: apple

Snapchat has solved one of the most annoying problems with mobile video so you can finally record your dance parties, even if you’re the DJ.

The startup been experimenting for some time with ways to better integrate music into its application. Today it’s launching a new feature that allows you to record video while playing music from your phone, rather than the music pausing. You can bump jams from iTunes, Spotify, SoundCloud, or any other app while recording.

The feature has just rolled out to iOS with the release of Snapchat version 9.2.0, but has yet to appear in the Android version hosted now on Google Play.

If you want to see how it works and hear my little review, check out my demo on Snapchat Stories by following “JoshConstine” or pointing your Snapchat at this Snaptag QR code. Send me your best music snaps.

Snapchat records the music at a very high volume that works fine if you’re not saying anything. But if you want to talk into the camera, you’ll have to shout.

The ability to create musical snaps without a second audio device will give extra creative flexibility to the growing ecosystem of star content creators on Snapchat Stories.

It is a little fishy that the feature comes shortly after Snapchat shut off sharing from the music video app Mindie, which let users pick a song as a soundtrack, then shoot an accompanying personal video that could then be shared to other social networks. Snapchat cited its security policy as the reason for cutting off access from Mindie at the time of its removal earlier this month, and even reset the passwords of those who had given Mindie their credentials.

The music plus video features gives Snapchat a leg up over competing video apps like Vine, for example. The inability to record video while playing music has been the bane of many Viners and amateur videographers. The iPhone’s default video camera, Vine, and other apps will pause music as soon as you start recording.

While seemingly a minor addition, support for snaps that include music playing from users’ own phones could pave the way for Snapchat’s grander plans in the music space further down the road. The company has, so far, shown a keen interest in making music a deeper part of the Snapchat experience – and that’s something that also likely resonates with the younger demographic that uses the app most often.

In the past, Snapchat has experimented with promoting music by featuring artists like Goldroom, Vance Joy and Strange Talk in its promos, which, in some cases, allowed users to tap through to the iTunes store to buy the track when the video promo ended.

And in emails leaked via the Sony hack, it was unveiled that Snapchat CEO Evan Spiegel had been actively discussing ways to make Snapchat a better tool for promoting artists, and even toyed with the ideal of running its own label. More recently, it’s been rumored that the company is looking to buy Taylor Swift’s label, Big Machine, according to the New York Post.

But now you’ll be able to easily record your own videos with soundtracks. Get ready for a lotttt of karaoke Snaps.

Via: techcrunch

Customers of the Royal Bank of Scotland (RBS) and NatWest using iPhones equipped with Touch ID will now be able to log into RBS’s mobile app using their fingerprints.

It is the first time a British bank, albeit one owned mostly by the government, has rolled out biometric authentication to customers, though Barclays began offering a finger scanner to corporate customers last year.

The service, which the bank developed in response to dwindling branch business and uptick in mobile and online banking, will be available to 880,000 customers who use RBS or NatWest mobile apps on their iPhones.

RBS has said almost half of its 15 million customers now conduct their banking online with about three million a week using the bank’s mobile app. RBS plans to invest $1.5 billion in mobile banking in three years.

Via: scmagazine

A pair of lawsuits filed in Denver District Court continue a customer legal assault on Anthem, Inc. after a massive data breach exposed private information on more than 80 million of the insurance company’s past and present customers and employees.

In both suits, plaintiffs echo the anger and arguments of earlier lawsuits, claiming that Anthem broke faith by failing to protect their information, but one suit contends that customers paid Anthem higher premiums, shelled out dollars to ensure data protection and were promised protection services in the aftermath of the breach which it says Anthem ultimately did not provide.

Anthem “failed to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers’ personal data,” said the suit filed on behalf of Mary Mellon.

“Despite paying enhanced membership fees and insurance premiums in exchange for Anthem’s repeated promises of data security and protection, Anthem’s conduct failed to deliver, thus denying Plaintiff and the Class members the benefits of their respective (though identical) bargains,” said a class-action suit filed on behalf of  Dana Hills.

Citing a deluge of phishing emails sent to the company’s customers, “Anthem’s promise to provide future protective services rings false,” said the Mellon suit. “The unidentified persons have gained access to Plaintiff and Anthem customers’ email and mailing addresses.” The phishing emails began appearing almost immediately, the suit explained.

Both legal actions also questioned, as have some states, the delay between Anthem detecting the breach, which had been ongoing for at least a month, and its notification of customers. The Mellon suit called Anthem’s failures “compound,” noting, as have others, that the insurance company “failed to take adequate and reasonable measures to ensure its data systems were protected and to prevent the data breach.” And, it said the company “waited approximately nine days before it informed its customers of the data breach and theft of their personal medical information.”

Anthem already has taken a good deal of heat for not encrypting its data and it appears the suits will use that lapse to make their case.

“Such a failure to protect its members’ information violates Anthem’s obligations as established by federal law as incorporated into its member agreements,” said the Hills suit.

Via: scmagazine

What’s happened?
An almighty furore has kicked off after it was discovered that for months Lenovo has been shipping PCs and laptops with software pre-installed that could compromise your security and privacy.

What software?
It’s called Superfish, and it inserts adverts into webpages such as Google search results.

In January, a Lenovo forum administrator responded to customer complaints about Superfish by describing its functionality like this:

“To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”

That sounds like adware?
Yes, it does. At the very least it’s a potentially unwanted program (PUP), but there are other concerns beyond Superfish’s insertion of adverts.

What concerns?
Superfish installs a self-signed root certificate that can intercept HTTPS encrypted traffic for each and every website you visit. In other words, encrypted traffic is being intercepted so ads can be shown on Lenovo customers’ computers.

Surely no-one should be able to see my encrypted communications?
Correct. The Superfish adware installed by Lenovo is effectively conducting a “man-in-the-middle attack”, and can crack open your secure communications – all so they can display some irritating adverts. It does this by replacing legitimate site certificates with its own.

But Lenovo wouldn’t spy on my communications, would it? They’re not secretly snooping at my private activity online?
Almost certainly they’re not interested in that. They just want to inject money-making ads in front of you. But the way in which they have done it is cack-handed, and could be exploited by a malicious hacker to intercept innocent the traffic of innocent parties.

That sounds bad.
You bet it’s bad. If you have Superfish on your computer you really can’t trust secure connections to sites anymore.

For instance, take a look at the fake certificate affected Lenovo users see when they visit the Bank of America website. It is signed by Superfish, not Bank of America.

As security researcher Marc Rogers points out, users aren’t told that the legitimate site certificate has been meddled with, has expired, or is bogus.

Furthermore, Superfish appears to use the same certificate on all installs – making it a huge security vulnerability, and your PC utterly untrustworthy when it comes to activities such as online banking.

This presents a security nightmare for affected consumers.

• Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make.
  
• Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact they now have to rely on Superfish to perform that check for them. Which it does not appear to do.
  
• Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections.
  
• Superfish uses a deprecated SHA1 certificate. SHA1 has been replaced by SHA-256 because attacks against SHA1 are now feasible with ordinary computing hardware. This is insult on top of injury. Not only are they compromising peoples SSL connections but they are doing it in the most cavalier, insecure way possible.
  
• Even worse, they use crackable 1024-bit RSA!
  
• The user has to trust that this software which has compromised their secure connections is not tampering with the content, or stealing sensitive data such as usernames and passwords.
  
• If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages.
  

Okay, okay. I get the message. What is Lenovo saying about all this?
At the end of January, following customer complaints on its forum, Lenovo said it had “temporarily removed” Superfish from computers it sold. It said it was doing this because of “some issues (browser pop up behavior for example)”.

However, that doesn’t appear to help people who had already bought Lenovo PCs with the Superfish adware, or anyone who goes into a store today and buys one that has been sitting on the shelf for a month or two.

Sheesh. How long has this been going on for?
Since at least mid-2014. Complaints have popped up from time to time from Lenovo customers, but in the last 24 hours the story has become a hot topic in security circles.

Now the story has reached the ears of the security press, we hope Lenovo will take the problem more seriously.

How do I remove Superfish?
Unfortunately it appears that simply removing Superfish from your computer does not also zap the associated root certificate. That means your computer remains vulnerable.

Microsoft has published a step-by-step guide about how to remove and revoke root certificates that you can follow.

In addition, Microsoft has published a list of the official root certificates that are needed for Windows – to make sure that you haven’t had anything else sneakily added.

If you’re still worried then, well… you’ve got a backup of your important data, right?

Maybe the simplest thing to do is wipe your hard drive and install a clean, fresh, uncompromised version of Windows (or other operating system) onto your Lenovo computer – instead of the one they gave you.

It’s a brutal response, but it’s probably the only one you can completely trust right now. It took the security community over six months to notice what Lenovo was doing on its PCs, who knows if it’s doing anything else a bit dodgy too…

How to Test Your PC for the New “Superfish” Security Vulnerability

https://lastpass.com/superfish/

https://filippo.io/Badfish/

Via: tripwire

Experts say that Anthem’s lack of encryption doesn’t matter. Find out why they might be wrong in our legal analysis.

The recent successful hack on Anthem is but the latest high-profile data breach in a string of data breaches, and it was a hefty one, compromising dozens of millions of customers’ records containing personally identifiable information and other sensitive data. Anthem’s employee records, too, were compromised. Unlike most other superbreaches of the past couple of years, however, Anthem isn’t a retailer. It’s a health insurance company, and that fact has significant ramifications for both the organization and the victims.

According to a 2013 report by Dell SecureWorks, health insurance credentials are worth 10 to 20 times more than simple credit card numbers. That fact, combined with the industry’s embarrassing reputation for lax data security, has made healthcare organizations high-demand targets for hackers and identity thieves these past couple of years.

The Anthem attack was unique for several reasons. It appears to have been perpetrated by hackers sponsored by the Chinese government, most likely a group known as Deep Panda. And the compromised data were unencrypted, a fact that raises legal questions.

Some experts say that the lack of encryption in this case does not matter. Healthcare data journalist Fred Trotter, for instance, reports that “[e]ncryption probably would not have helped,” speculating that the level of access the hackers obtained would have rendered any level of encryption a moot point. Trotter goes on to suggest that encryption would have hindered legitimate accessibility of the data within Anthem’s organization itself in ways that would have made HIPAA compliance more difficult.

While Trotter’s other points are well taken, the issue of HIPAA compliance is one worth examining. To get a better idea of where Anthem might stand in relation to HIPAA, a cursory look at the timeline is in order.

WellPoint and Anthem: A History of Cybersecurity Stumbles

Anthem was not always Anthem. Until very recently, the company went by the name WellPoint, only changing its name to Anthem on December 3, 2014.

On October 23, 2009, a botched upgrade to WellPoint’s systems followed by a further botched security review left the identity and health record data of more than 612,000 policy applicants publicly exposed on the Web for all to see until March 7, 2010. The data leak was discovered and reported by attorneys gathering information for a legal action against the insurance company.

Of course, several lawsuits related to WellPoint’s data breach followed. Both state and federal government enforcers opened legal fire as well, negotiating and obtaining significant settlements. In particular, WellPoint had to (inter alia) fork over $1.7 million to the Department of Health and Human Services (“DHHS”) and $100,000 to the Consumer Assistance Fund of its home state of Indiana.

Fast forward to April 8, 2014. The FBI distributed an alert to healthcare companies, advising that the healthcare industry’s cybersecurity practices lagged far behind other sectors, such as retail and financial services. The FBI’s mention of the retail sector was especially notable, considering the fact that the advisory followed major hacks against large retailers such as Target, Neiman Marcus, and Michaels.

“[T]herefore the possibility of increased intrusions is likely,” read the notice.

Less than four and a half months later, the FBI distributed another alert to healthcare companies, this time to warn them that they were being actively targeted by hackers and that their customers’ Protected Healthcare Information (PHI) and Personally Identifiable Information (PII) were at risk. The impetus for the alert was the then-recent Heartbleed-related data breach that another healthcare organization, Community Health Services, had suffered.

Anthem may have already become a target by the time the FBI issued its warnings. An Anthem memo indicates suspicious query activity on its network going back to December 10. Other evidence, discovered by security firms such as ThreatConnect, CrowdStrike, and Symantec, suggests the beginnings of the attack originated even earlier, perhaps just a few weeks after the FBI’s April advisory. An apparent WellPoint spoof domain originating in China, “we11point[dot]com,” replete with subdomains mimicking actual WellPoint.com subdomains such as “myhr[dot]we11point[dot]com” and “hrsolutions[dot]we11point[dot]com,” was registered in April 2014 and clearly designed to mimic WellPoint’s actual infrastructure. Malware reportedly linked to the Deep Panda references the spoof domain, as well as an email address owned by Song Yubo, an information security professor in Nanjing whose research center receives funding from the Chinese government to work on cyberwarfare applications.

“It’s…incredible that so many companies could see the outlines of a threat against such a huge target, and that it took until just this past week for the target to become aware of it,” observed cybercrime journalist Brian Krebs in a February 9 blog post, reporting on this evidence. “For its part, ThreatConnect tweeted about its findings back in November 2014, and shared the information out to its user base.”

Was Anthem HIPAA-Compliant?

HIPAA does not strictly require encryption in all cases, but healthcare organizations are obligated to at least “address” the issue of encryption. They may reasonably opt to employ other security measures in lieu of encryption if, among other factors, the risk of unauthorized data disclosure is low.

According to privacy attorney Adam Greene, a history of multiple breaches demonstrates that this disclosure risk is not low. Anthem’s data breach from five years ago, the FBI’s 2014 alerts of heightened cyber risk to healthcare companies, and the threat intelligence and other relevant information around Anthem all combine to demonstrate that the risk was not insignificant. Hence, a DHHS action against Anthem – while perhaps escapable – remains possible.

Anthem has more than DHHS to worry about, too. On top of dealing with myriad investigations from states’ Attorneys General, Anthem faces multiple lawsuits over its data breach, lawsuits that level accusations such as negligence, breach of contract, and violations of various applicable state laws.

It’s worth mentioning here that negligence plaintiffs have successfully used HIPAA standards as evidence of the level of care owed to a plaintiff. This is, however, a two-way street. If Anthem can establish that it didn’t violate the standards of care owed under HIPAA, it may yet escape liability to its data breach victims.

Still, considering Anthem’s recent history, that’s a big “if.”

Via: enterprisenetworkingplanet

Among the new features set to come with the release of the anticipated Windows 10 operating system, users can now look forward to new authentication protocols.

In an effort to help them transition away from passwords, Windows 10 will support the Fast Identification Online (FIDO) security system by using biometric authentication, according to a blog post by Dustin Ingalls, group program manager at Microsoft. After submitting design specifications to the FIDO Alliance that are to be “incorporated within the FIDO 2.0 Technical Specifications,” the upcoming version of Windows will be featuring the latest inputs.

The work put into these specifications is “one of the most important priorities” in the release, Ingalls said.

In addition to serving enterprises, the new capabilities will also benefit consumer devices like Outlook.com and OneDrive. Members of Microsoft’s Windows Insider Program can already begin to test out the new features.

Via: scmagazine

The feature is starting to roll out on TweetDeck for web, Chrome and Windows.

TweetDeck Teams is a simple solution to Twitter account sharing. It enables you to delegate access to as many people as you like, and remove accounts when they no longer need access. In order to use this new feature, you must log in to TweetDeck with your Twitter account. If you are still using a legacy TweetDeck account, it’s time to switch over!

Get started
If you currently manage and share a Twitter account, here are a few steps to get ready to use TweetDeck Teams. Let’s use @TwitterMedia as an example.

As the owner of @TwitterMedia, log in to TweetDeck using the Twitter account credentials, and from the navigation bar, select Accounts.

• Select Team @TwitterMedia.
  
• Type the name of the account(s) you want to have access to @TwitterMedia.
  
• Select Authorize and an email will be sent to the account. (For this example, let’s say the user being authorized is @bobiltomore). Bo will need to Accept the invitation in TweetDeck to contribute. The email address associated with @TwitterMedia will receive an email that @bobiltimore has been added to the team.
  

Tip: If you’re currently sharing your account, you can change the password and revoke app access to ensure that from now on only the people you’ve just added will have access.

This short video is a quick and easy way to see how it works:

Finally, TweetDeck Teams has two types of roles: admin and contributor. As the person who knows the password, you can still Tweet from the account, add or remove team members, view the team and access the account from non-TweetDeck platforms (e.g., Twitter.com, Twitter mobile apps). You can also update the account’s credentials or password.

Admins are users who sign in to TweetDeck with their personal account. As an admin, the user can Tweet from the account (plus build lists, follow or unfollow accounts, send Tweets and schedule Tweets), add or remove team members and view the team. An admin cannot access the account off of TweetDeck or change the credentials or password.

And contributors are those people who can Tweet from and act as the account (plus build lists, follow or unfollow accounts, send Tweets and schedule Tweets). Contributors cannot view, add or remove team members, and can not access the account outside of TweetDeck.

If you prefer not to receive invitations to others’ teams, you can opt out completely on twitter.com/settings/security, or just allow invitations from users who you follow.

Remember, once you’ve transitioned over to TweetDeck Teams, you should continue to use login verification on your accounts, and encourage your team members to as well. Instead of relying on just a password, login verification introduces a second check to make sure that you and only you can access your Twitter account.

We hope you enjoy this new account-sharing feature.

Via: twitter