Monthly Archives: February 2015

Mozilla is the latest vendor, if you will excuse me not referring to it as a foundation or a community, to announce a walled garden for its software ecosystem.

In the second half of 2015, it says, Firefox will require all browser extensions to be digitally signed.

The purpose should be obvious: to make it harder for surreptitious, devious or plain malevolent add-ons to make their way into your browser unnoticed.

Extensions can adapt the behavior of Firefox significantly, from rewriting links and content, through keeping tabs on where you browse, to reading and using your data.

As a result, malicious extensions can be as bad for your digital health as a full-blown malware infection at the operating system level.

How it will work

Mozilla will be the signer-in-chief, and that, apparently, will be that.

If you publish your extension via Mozilla’s equivalent of the App Store, known as AMO, or addons.mozilla.org, the company will automatically vet it, sign it, and make it available for download.

That’ll be a bit like Google’s Bouncer, the automatic process that decides if your Android app is safe for inclusion on Google Play.

The good side of an automatically-scan-approve-and-sign process is that it’s simple and fast.

That makes it vaguely more egalitarian than a complex and bureaucratic mechanism that tends to favor bigger, more established software makers, who themselves have the staff and bureaucracy to match.

The bad side is that automatic systems for software approval are designed as much to help online software markets grow really quickly as they are to keep the crooks out.

So they don’t always do a very good job of security, and if completely automatic approval systems do let malware or dodgy programs through, they give a powerful but completely false sense of safety that plays straight into the hands of the crooks.

Going off market

Like Google on Android, but unlike Apple on iOS, Mozilla will continue to allow its users to shop “off market,” so you won’t be forced to publish your extensions via AMO.

Unlike on Android, however, this won’t require users to invoke an “allow unsigned extensions” option.

In fact, Mozilla says that there will be no way, neither via command line nor through configuration options, to suppress signature checking.

Instead, all extensions will have to be signed, even “off-market” ones, so instead of devolving the responsibility for off-market content onto the user, Mozilla is going to require developers to make the effort.

→ Apparently, there will be a special sort of exception for in-house extensions, to appease Mozilla’s corporate users. How this will work, and how it will be locked down to prevent malware abusing it as a backdoor, is not yet clear. Presumably you’ll be able to instruct your company browsers to accept extensions signed with a company certificate.

What isn’t clear is how developers will test their extensions under the current Release version before submitting them for approval.

Mozilla says:

Installation of unsigned extensions will still be possible on Nightly and Developer Edition, as well as special, unbranded builds of Release and Beta that will be available mainly for developers testing their extensions.

This, of course, raises the question, “Will the unbranded or the Developer builds be sufficiently similar to the Release versions out in the real world that developers can stand by their testing results?”

It also makes you wonder, “How many users, including businesses, will simply switch to the unbranded versions themselves and be done with this code signing hassle?”

The community strikes back

Security and reliability concerns, however, don’t seem to be what’s worrying some of the more vocal members of the Mozilla community, who have already hit back with comments like this emotive piece:

Please don’t do this.

It is taking freedom away from your users, and freedom away from add-on developers.

You are handing a powerful tool to governments & corporations that will suppress add-ons they don’t like, by compelling you not to sign.

Mozilla as a platform for freedom & creative software development will be torn to shreds by this.

Please stop.

Or this well-reasoned gem:

We don’t want this, so you can send it back to your boss that we said to shove it.

Mozilla has certainly set the cat amongst its own community’s pigeons.

At this stage, it’s not even clear if the organization is going to be able to please some of the people some of the time.

Via: sophos

Apple enabled 2FA for iCloud in September.

Back in September, Apple enabled a two-factor authentication (2FA) security option for iCloud in the wake of a celebrity photo hacking scandal. While this helped protect backups, photos, and other personal data stored using Apple’s cloud service, it didn’t extend to some other commonly used Apple services. According to a Guardian report, Apple is turning on 2FA for the iMessage and FaceTime services starting today.

If you’ve already enabled 2FA on your iCloud account, there’s nothing else to do—signing into iMessage or FaceTime on a new device will now prompt you to generate an app-specific password on the AppleID management page. If you’re unfamiliar, app-specific passwords are randomly generated passwords separate from your main account password that you typically use once to grant access to a specific app, and you can only generate these passwords using a device that has already been verified with your account. Once you’ve generated a password, you’ll enter that into the password field along with your AppleID to sign in.

The experience isn’t as good as it could be. Tap the “create” button on an iPhone, for example, and you’ll be directed to the desktop version of a sign-in page to generate your password; ideally, Apple will come up with something a bit more mobile-friendly in the future. Several Apple services still aren’t protected by two-factor authentication—you can sign in to iTunes, the App Store, or the online Apple Store without needing anything other than your account password—but it makes sense for Apple to focus first on services that are more likely to expose sensitive data.

Note: iTunes and the Apple App Store still aren’t under the two factor authentication umbrella.

Via: arstechnica

According to multiple sources, Amazon is starting up a cloud-hosted email service.

Called WorkMail, it looks as though it’ll be price competitive to similar offerings from Microsoft and Google. Looking into my crystal ball, I assume they’ll get some adoption in 2015. What does this mean to you, dear sender?

Get ready, because eventually you’ll have a new platform to send to, with a potentially new set of spam and reputation filters to contend with. Let’s stay tuned and see if this takes off, shall we?

Via: spamresource

You have been uploading videos to the YouTube website all this time but you are now looking to explore additional channels. Maybe you can put them on other video hosting websites like Vimeo or your Facebook page to reach an even wider audience. You can bundle the YouTube video files as an iTunes podcast that people can download and watch offline.

The important point is how do you get your original video files from YouTube for uploading to other websites? If you have been diligently storing a backup of every single video file that you have ever uploaded to YouTube, please skip reading this, else there are two “official” options.

If you head over to the creator dashboard on the YouTube website, you can download any of your website with a simple click (read how-to). The only downside with the option is that YouTube downsizes your HD videos to 480p.

There’s another option available inside Google Takeout that will not only let you download your YouTube videos in their original high-resolution but also saves the files directly to your Google Drive. Thus, you can start the download process and it will save all your files, big and small, to Google Drive in the background. Once the files are in Drive, they’ll automatically sync to your desktop that you can later upload to other video websites.

To get started, go to this custom link, click the Next button and choose Add to Drive as your delivery method. That’s it. All you YouTube videos will be zipped and added to the Takeout folder in Drive in few hours. If the total size of your videos exceeds 2GB, it will create multiple files of 2 GB each.

An in addition to original videos, the zipped files from take will also include the video descriptions as well as all your playlists in JSON format.

Via: labnol

Meanwhile, Anthem victims are now being harassed by scammers trying to collect even more personal information.

In response to the data breach at healthcare insurance provider Anthem, New York’s Department of Financial Services (DFS) announced that it will “integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the department’s examination process.” The Department also plans to issue “enhanced regulations” to insurance companies based in New York, but has not yet solidified what those enhancements will be.

Encryption and multi-factor authentication may be on that list. Healthcare insurers are already subject to the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), each of which have requirements about privacy and security, but neither of which explicitly require encryption of all personally identifiable information. HIPAA’s focus is on medical data, not identity and employment data like that stolen from Anthem.

An Anthem executive confessed to the New York Times that Anthem had not encrypted the database containing non-medical data, and that it was not required by HIPAA to do so.

The New York DFS today released results of a survey of insurers, outlining some of their cybersecurity practices. In that report, 100 percent of health insurers surveyed said they used encryption for data both in transit and in storage. However, it does not specify the nature or number of files that are encrypted and those that are not.

DFS also discovered that the largest organizations did not necessarily have the best cybersecurity. From the report:

Notably, the Department’s analysis of the insurers surveyed found that a wide array of factors – not just reported assets – affect the sophistication and comprehensiveness of the insurers’ cyber security programs. Those factors include reported assets, transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines.

In other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the Department did not necessarily find that to be the case.

DFS also indicated that it was considering the risks of third-party security breaches, stating that it was “exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors.”

Meanwhile, individuals whose personal information was exposed in the Anthem breach are now falling prey to scammers. Anthem warned customers about scammers contacting breach victims via email or phone, posing as Anthem representatives, and soliciting even more personal data. Anthem stated that there’s no evidence that those conducting the scams are the same ones who carried out the breach.

Via: darkreading

Health insurer Anthem is proactively reaching out to members to specifically explain that there is no evidence credit card or medical information was targeted or compromised as part of the data breach it discovered last week.

As many as 80 million people could be affected by the cyberattack, which could go down as the largest data breach ever acknowledged by a healthcare company.

Ketchum, Anthem’s public relations firm, is providing the health insurance giant with subject matter experts and advising the company on best practices, said Kristin Binns, VP of PR at the insurer.

“Our main priority is to be clear about the information we have assessed that has not been included in this breach, such as medical, banking, and credit card information,” Binns explained. “We want to make this clear to our customers, so we start eliminating initial concerns as best we can.”

Attackers did, however, gain unauthorized access to Anthem’s IT system and obtained personal information from current and former customers, such as their names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses, and employment information. They may have also stolen income data, Anthem president and CEO Joseph Swedish confirmed in an open letter posted on the company’s website.

After a string of cyberattacks against major companies in the US and globally in recent years, Binns said customers expect organizations to communicate about breaches as soon as possible and transparently.

“We were very cognizant about being expeditious with our response,” she said, noting that her team executed a notification plan within a week of becoming aware of the attack. “But the challenge with this was making sure we had enough information to ensure what we were putting out there was accurate.”

Once the attack was discovered, Anthem “immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating with their investigation,” Swedish said in his letter. It also retained cybersecurity firm Mandiant to evaluate Anthem’s systems and identify solutions, Swedish added.

Anthem also launched a microsite, which customers could access via a link from the company’s homepage, that includes an FAQ list and Swedish’s letter. It also emailed the memo directly to customers who opted to receive information from the company, Binns said.

The insurer also shared the open letter on Anthem’s social media channels on Facebook and Twitter.

Via: scmagazine

Health care is a treasure trove for criminals looking to steal reams of personal information, as the hacking of a database maintained by the second-largest U.S. health insurer proves.

The latest breach at health insurer Anthem Inc. follows a year in which more than 10 million people were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.

Health care hacking is becoming more of a focus as retailers and other businesses have clamped down on security after massive breaches at companies like Target and Home Depot. That has made it more difficult in some cases for cyber thieves to infiltrate their systems. As a result, they’ve turned their attention toward health care.

Experts say health care companies can provide many entry points into their systems for crooks to steal data. And once criminals get that information, they can pull off far more extensive and lucrative schemes.

“If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,” said Tony Anscombe, a security expert with the cybersecurity firm AVG Technologies. “With medical records and a social security number, it’s not so simple.”

Anthem said late Wednesday that hackers broke into a database storing information on 80 million people in an attack the company discovered last week. The Blue Cross Blue Shield insurer said the hackers gained access to names, birthdates, email address, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had coverage in the past.

The insurer, which covers more than 37 million people, said credit card information wasn’t compromised, and it has yet to find any evidence that medical information was targeted. Anthem Inc. doesn’t know how many people were affected by the attack, but a spokeswoman said that number was probably in the “tens of millions.”

The attackers used custom malware that was designed to avoid detection by anti-virus programs, said David Damato, managing director of FireEye, a Silicon Valley cybersecurity firm and corporate parent of Mandiant, an emergency response group hired by Anthem to investigate the breach. Damato said groups with that ability are typically either sophisticated financial crime rings or hackers backed by “nation states,” such as a foreign government. When asked if the investigation is pointing in either direction, Damato said he couldn’t answer.

“We’re very early on in the investigation,” he said.

It appears the attack was aimed specifically at a database that contained financial and personal identifying information, but not records of medical treatment, said Damato. “It’s fairly evident the attacker was focused on this one source of data,” he said, adding that the hackers may have performed “some sort of reconnaissance” to find that database. While he did not elaborate, he said the attackers managed to evade “multiple layers of security” within Anthem’s computer systems.

The impact could be far-reaching. The hackers may have simply been probing Anthem’s defenses with plans to plant malware that steals information or to come back with a much larger attack, said Eran Barak, CEO of another cybersecurity firm, Hexadite.

Other experts caution that the hackers may have indeed made off with medical information, and that has not been discovered yet.

Criminals who obtain stolen Social Security or health insurance account numbers have shown more sophistication than the average credit-card fraudster, according to Pam Dixon, executive director of the World Privacy Forum, a consumer advocacy group.

Rather than use the information right away, she said some crooks will sit on Social Security or health insurance files for a year or more before using them to create new identities and apply for benefits.

“What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent” about monitoring their own accounts for fraud, she said.

Health records also command a much higher price than credit card accounts on the online black markets where hackers buy and sell stolen information, said Al Pascual, director of fraud and security at Javelin Strategy & Research, a financial industry research firm.

He estimated in an interview last fall that an individual’s medical records might fetch as much as $50, while credit card account information may only be worth $5.

“A health record has everything – financial account information, Social Security number, health information,” he said. “That makes all the records stored at your health provider and insurer incredibly valuable.”

Medical records can be used to extort people, with the hacker demanding money to prevent the sensitive release of information. They also can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.

“That’s the kind of sophistication we have in cybercrime,” said Mark Bower, a vice president with the cybersecurity firm Voltage Security. “We have networks of criminals who can use this data whenever its available based on their skill set.”

Hackers can also find, in some health care companies, security practices that are not as mature as they are in other industries, Bower said. Clinics, labs, doctors’ offices, insurers and hospitals all offer different entry points for hackers to attack. That mix of systems can come with great variation in security quality.

For its part, Anthem said hackers executed a “very sophisticated” attack on its system, and it contacted the FBI and made “every effort” to close the security vulnerability once it discovered it.

Company spokeswoman Kristin Binns said the data accessed was not encrypted, but that would not have thwarted this attack because the hacker also had a system administrator’s ID and password. She said the company normally encrypts data that it exports.

The federal government also is investigating whether the personal information of Medicare and Medicaid beneficiaries was stolen. Those government programs are a major business for Anthem.

Via: enterprise-security-today

Book2Park is the third airport parking site to be breached in as many weeks.

The airport parking service Book2Park.com was recently hit by the same hacker group that breached Target and Home Depot, according to investigative reporter Brian Krebs.

A new batch of stolen credit card numbers was offered for sale last week on the Rescator cybercrime shop, and according to Krebs, several banks found the same pattern among the cards being sold — all had recently been used to make parking reservations at Book2Park.com.

Book2Park.com owner Anna Infante told Krebs that she wasn’t aware of a credit card breach, but that a third party technology firm had recently uncovered and removed malware from the company’s Web server.

“We already took action on this, and we are totally on it,” Infante said. “We are taking all further steps in protecting our customers and reporting this to the proper authorities.”

As Krebs notes, the same hacker group also recently breached the airport parking sites Park ‘N Fly and OneStopParking.com — it’s not clear why online parking reservation systems have become such an attractive target for hackers.

In a similar but unrelated breach, Barbecue Renew, an e-commerce retailer offering grilling accessories, equipment and replacement parts through its website grillparts.com, recently began notifying an undisclosed number of customers that their credit information may have been accessed by hackers (h/t SC Magazine).

Data potentially accessed includes customers’ first and last names, addresses, credit card account numbers, expiration dates and card security codes.

Barbecue Renew was notified twice in October and November of 2014 that banks had uncovered incidents of possible fraud associated with credit cards that had been used at grillparts.com.

“Barbecue Renew immediately notified law enforcement, retained a third party forensic investigator, and took immediate steps to determine what information may have been accessed and the extent of any possible compromise of cardholder data,” the company said in a notification letter [PDF] to those affected.

The investigation determined that cardholder data was exposed on three separate occasions between January 2014 and October 2014.

“We are working with leading IT security firms, data privacy and protection attorneys, law enforcement and payment industry contacts to continue to address this incident,” the company said. “Additionally, we are devoting all necessary resources to our ongoing efforts to enhance our information security policies and procedures in light of this incident to minimize the risk of such incidents in the future.”

And payment processor EgoPay recently acknowledged that it was breached by hackers in late December 2014. The company’s former CEO Tadas Kasputis told CoinDesk that EgoPay’s Bitcoin-related customers lost $1.1 million as a result of the breach.

One customer told CoinDesk he had lost $80,000, and payment solutions company Payeer said it lost $185,503.32.

“False values were made available in the merchants platform, when no actual value was transmitted in Egopay,” the company explained in a blog post. “This hacker then proceeded to convert this fake value into irreversible currencies all within a one hour window.”

After concluding that the attack must have been perpetrated by someone with insider access, EgoPay suspended several suspected employees while the investigation was underway. “Unfortunately, this resulted in our support services being delayed or non-existent,” the company noted.

“Repeatedly while trying to provide answers to our members, something new would unfold making any explanation meaningless,” the company added. “Rightfully, people are upset at us. We failed to communicate. We failed our membership base. We take full responsibility on this.”

Via: esecurityplanet

White Lodging — a company that maintains Hilton, Marriott, Sheraton and Westin hotel franchises — has apparently suffered a data breach that exposed guests’ credit and debit card information in 2013, independent security researcher Brian Krebs said.

Banking industry sources noticed fraud among hundreds of cards that had been previously used at Marriott hotels, wrote Krebs, who first reported that Target had suffered a massive data breach around Black Friday last year.

“But those same sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago, Denver, Los Angeles, Louisville and Tampa,” Krebs wrote.

“Turns out, the common thread among all of those Marriott locations is that they are managed” by White Lodging, he said.

White Lodging, based in Merrillville, Indiana, issued a statement saying the breach occurred from March 20 to December 16 and affected only people who used their credit cards in the affected hotels’ restaurants and bars. The 14 hotels include Marriott, Radisson, Renaissance, Sheraton, Westin and Holiday Inn franchises around the country.

Marriott said it will continue to monitor the situation.

“We are working closely with the franchise management company as they investigate the matter,” spokesman Jeff Flaherty said. “Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.”

White Lodging is just the latest American business to investigate a security breach.

The hacking of Target’s systems could be the largest breach in U.S. retail history. It affected up to 110 million customers, including 40 million credit and debit cards and up to 70 million customers’ personal information.

The retailer discovered the breach in mid-December, notified customers several days later, and launched an investigation with the help of a private security firm and law enforcement.

Since Target’s disclosure, high-end retailer Neiman Marcus announced more than 1 million customer cards were compromised in a breach last summer.

And last month, crafts retailer Michaels said its systems may have been breached.

It isn’t immediately clear if these possible attacks are related. Security experts have warned it is likely other companies were targeted by the hackers who hit Target.

U.S. Attorney General Eric Holder spoke about a federal investigation at a Senate hearing last week.

“We are committed to working to find not only the perpetrators of these sorts of data breaches, but also any individuals and groups who exploit that data via credit card fraud,” Holder said.

Via: cnn

Several financial institutions recently uncovered fraud on credit and debit cards that were all recently used at Marriott hotels run by franchise operator White Lodging Services, according to investigative reporter Brian Krebs.

Many of the same Marriott locations were previously breached in 2013, when thousands of customers’ credit card and debit card information was stolen from 14 White Lodging hotel locations.

As was the case with the 2013 breach, Krebs says the recent breach appears to be linked to hacked point of sale systems at restaurants and bars within the hotels.

Customers whose payment card information was stolen in the most recent breach had used their cards at Marriott locations run by White Lodging between September 2014 and January 2015.

“We recently were made aware of the possibility of unusual credit card transactions at a number of hotels operated by one of our franchise management companies,” Marriott spokesman Jeff Flaherty told Krebs. “We understand the franchise company is looking into the matter.”

“Because the suspected issue is related to systems that Marriott does not own or control, we do not have additional information to provide,” Flaherty added.

White Lodging spokesperson Kathleen Sebastian told Krebs the company has hired a security firm to investigate the issue. “To this date, we have found no identifiable infection that would lead us to believe a breach has occurred,” she said. “Our investigation is ongoing.”

Sebastian said that in the time since the 2013 breach, White Lodging has installed a third party managed firewall system, dual-factor authentication, and “various other systems as guided by our third-party cyber security service.”

It’s been a rough few weeks for Marriott — security researcher Randy Westergren also recently discovered that the Marriott International Android app was exposing its users’ reservation data and contact information.

“Marriott was fetching upcoming reservations with a completely unauthenticated request to their web service, meaning one could query the reservations of any rewards member by simply specifying the Membership ID (rewards number),” Westergren wrote in a blog post detailing the vulnerability.

Although Westergren told Forbes the vulnerability had likely been in place for four years, Marriott’s response was impressive — Westergren said the vulnerability was resolved within one day of his informing the company of the flaw.

Via: esecurityplanet