Monthly Archives: February 2015

Amy Pascal, co-chair of Sony Pictures Entertainment, has stepped down in the wake of the massive cyber attack and data breach at the company in November, which exposed comments in her private emails.

Pascal was one of the high-profile Sony executives whose emails were leaked, revealing that she had made derogatory comments about the viewing habits of President Barack Obama in an email to producer Scott Rudin.

Pascal and Rudin have both apologised for the emails, with Pascal saying in a statement that the content of her emails were “insensitive and inappropriate, but are not an accurate reflection of who I am”.

Pascal now plans to start a production company that will launch in May 2015 and will be funded for at least the next four years by Sony, which will retain distribution rights, reports the BBC.

“I have spent almost my entire professional life at Sony Pictures and I am energised to be starting this new chapter based at the company I call home,” Pascal said in a statement.

She added that her transition to a production role had been discussed “for some time”.

Sony has not yet named a successor to Pascal, leaving Michael Lynton as the sole head of one of Hollywood’s biggest production studios.

Although Lynton has admitted the company was unprepared for the nature and extent of the cyber attack, there have not yet been any resignations by any executives responsible for information security at the firm.

Two months after the high-profile data breach at US retailer Target in December 2013, chief information officer Beth Jacob resigned, followed two months later by chief executive and chairman Gregg Steinhafel.

On 24 November, Sony revealed that it had been hacked a group calling themselves Guardians of Peace (GOP), which shut down parts of the company’s network and stole internal data.

The attack disabled computers, and employees found that they had lost all past email, contacts, distribution lists, budgets and anything else stored on the network.

Data released online shows the attackers accessed a wide variety of information, including a list of employee salaries and bonuses, internal emails and unreleased films.

Despite the difficultly of attribution in cyber attacks because of the many ways of hiding the source of an attack, US authorities claim the attack can be traced to North Korea.

The apparent motive for the attack was in retaliation for Sony’s decision to produce The Interview, a comedy film about a plot to assassinate Korea’s leader, Kim Jong-Un.

This week, however, US security firm Taia Global claimed that Russian hackers also played a part in the attack, and that the hackers still have access to the movie studio’s computer systems.

A Taia Global report alleges that Russian hackers managed to gain access to Sony Pictures Entertainment’s computer systems at the same time as GOP.

Jeffrey Carr, Taia chief executive, claims to have received multiple files from a Russian hacker called Yama Tough that appear to be internal Sony documents that were not included in any data published by GOP, and that at least one document has been verified as legitimate by its author.

According to the Taia report, Sony Pictures is “still in a state of breach” because the security firm has received documents from Sony from late January 2015, long after the hack supposedly ended.

The report suggests that either the Russian hackers attacked Sony at the same time as the GOG, or North Korea was not involved at all.

Business Insider suggests that a third option not considered by Taia is that North Korea or North Korean-affiliated hackers carried out the attack, but at some later date the previously unseen documents left their possession, eventually reaching Taia.

An unknown intermediary may have fooled Yama Tough, or Tough could be lying to Taia about where he got the documents, which means there is not necessarily any Russian involvement.

Carr told Forbes he was “100% certain” the information was legitimate, but admitted the source might be Yama Tough himself, although he has denied the allegation.

Via: computerweekly

Fast-food restaurant chain Chipotle was forced to apologise after its Twitter account was used to post racist, homophobic and anti-government tweets on Sunday morning.

The attack, which occurred just after 1am ET, saw the the company’s profile picture changed from its usual pepper logo to a swastika. The profile description was also altered to read:

The official Twitter account of @TUGFeds and @TheCeltic666

Both of those accounts have subsequently been suspended by Twitter.

After regaining control of its errant @ChipotleTweets account, the company said sorry to its followers:

We apologize for the very offensive messages sent out from our account earlier tonight. We were unfortunately hijacked temporarily. -Joe

Screenshots captured by Time before the account was reclaimed show some of the offensive tweets, which include anti-establishment messages such as:

F*CK THE GOVERNMENT AND FBI, UR ALL FRAUDS THAT LINE UR POCKETS HAHAHAHA LOSERS, F*CK YOU ALL

In a continuation of the political theme, the attacker also suggested Chipotle was “in full support of the Nazi party” and directed a racial slur at President Obama.

In an official statement, Chipotle’s communications director Chris Arnold said:

Our Twitter account was hijacked overnight for about two hours during which a series of offensive tweets was posted to the account.

We apologise for the nature of the posts that were made during that time, and we are now conducting an investigation to try to determine what happened and who might have been involved.

While the motive for the hack is unclear, it is possible that the attackers were acting out of a sense of irony after Chipotle itself seemingly orchestrated a fake Twitter account hack in 2013 – as part of a 20th anniversary publicity campaign.

A series of tweets from the company at first appeared to be random and nonsensical until it later became clear that they contained a list of ingredients for its guacamole recipe. Speaking at the time, Arnold told Mashable that:

We thought that people would pay attention, that it would cut through people’s attention and make them talk, and it did that.

It was definitely thought out: We didn’t want it to be harmful or hateful or controversial.

The Mexican food chain isn’t the first Twitter account to be hacked this year – in January US pop star Taylor Swift had her account taken over for a short while as an attacker pushed out tweets promoting two other Twitter accounts that were themselves quickly suspended.

As John Zorabedian noted at the time, the best way to protect your own social media accounts from befalling a similar fate is to employ two-factor authentication where available.

Doing so adds an additional layer of security, requiring a would-be attacker to not only circumnavigate your password but also an additional identifying factor, such as a code sent to your phone via SMS.

And, of course, it’s really important to make sure you use strong, unique passwords for every single one of your online accounts. If you’re not sure what makes a password “strong”, then watch our video on how to pick a proper password.

Via: sophos

A one-two punch for the victims of the Anthem data breach: individuals who were impacted by the massive cyber attack on the health insurance provider which affected up to 80 million Americans, are now being warned that they’re being targeted by scammers who are trying trick the victims into revealing additional personal information. Scammers are running email phishing campaigns, and even placing phone calls to affected customers, Anthem says.

The phishing emails have been crafted so they appear to be from Anthem, and include a “click here” link that purportedly takes customers to a credit monitoring website.

According to an advisory issued by Anthem, these emails are not coming from the company itself, as it only plans to contact current and former members via U.S. Postal mail, not email. These forthcoming mailings will include information on how to receive the free credit monitoring and the ID protection services that Anthem is providing.

Additionally, the insurer reminds customers that not only should they ignore the scam emails and not click the links they contain, it will also not be calling members by phone, and will not be asking for sensitive information like credit card numbers or social security numbers over the phone.

However, notes Anthem in its announcement, there’s no evidence that the scammers sending out the phishing emails or placing the phone calls are those who originally attacked the network. Instead, it’s likely that these scams are “random and opportunistic,” says security expert Brian Krebs in a post where he discusses the scams, noting that it’s possible that the hacked data has simply fallen into the hands of other scam artists.

The Anthem data breach was significant, with cyber criminals gaining access to names, social security numbers, date of birth, addresses, phone numbers, medical IDs and more from the company’s customers. There’s currently some speculation that the attack was led by state-sponsored hackers in China, but the FBI has not confirmed this.

Today, New York’s Financial Services Department also announced that it’s planned cybersecurity reviews of insurers in wake of the Anthem attack, and will issue “enhanced regulations” that will require insurers to meet “heightened standards for cyber security.”

Victims of the data breach can get more information from Anthem’s toll-free hotline: 877-263-7995.

Image credit: Krebsonsecurity.com 

Via: techcrunch

Bottom of Form

In 2013, Google expanded its Hangouts video conferencing service into a commerce platform called Helpouts, where people buy and sell services like cooking or technical advice via live video. Now Google has developed another new service based on its Hangouts infrastructure. It is running a live video chat service for would-be buyers of Google smartphones, tablets and Chromebooks (but not Nest products) to ask Google Device Experts questions and chat about the products before sealing the deal.

(And unlike Helpouts, this service is free.)

We were tipped off to the service by some of the people working on the project, and Google has confirmed some of the details.

“We’re always improving features to help our users,” said a spokesperson. “We’re in a limited trial of an experimental support feature and gathering feedback, so we aren’t ready to share full plans yet.”

Our sources provide some more information. The service, which went live quietly in November, is initially being run as a test through the Devices channel of Google Play, but Google wants to extend the idea to more places, both virtual and physical.

“They are also planning to go into retail stores with a virtual help desk to enhance the shopping experience,” a source tells us, who described the bigger project as “Google’s virtual Genius Bar,” referring to the Apple Retail in-store operation where Apple employees, lined up behind a bar, offer in-person technical support on Apple devices. It’s not clear yet how far along Google is in implementing this concept of a virtual help desk in retail locations.

It also bears a resemblance to Amazon’s Mayday service, the company’s tech support system introduced in 2013 that currently works only on Kindle Fire HDX, Kindle Fire HDX 8.9″, Fire HDX 8.9, and Fire Phone devices and in a limited number of countries. Unlike Mayday, Google’s video helper currently does not cover straight tech support.

The feature for now is only live between 6am and 6pm Pacific time, and to get to it, you navigate through the online Google Play Store to the Devices category. There, you select the help icon in the upper right corner, and if you indicate you are interested in buying a device, you are given the option of making a video call to ask more questions.

In my test of it, my call was answered within seconds. The smiley woman at the other end of the Hangout knew I was calling from the UK, and was happy to answer all of my questions about Google devices and to show me more details if needed on a second video demonstration screen. Also, she didn’t seem disappointed at all when I told her I wasn’t really buying anything, and was just a journalist trying out the service.

Google Device Experts is being run within Google but with contractors from an external company called Milestone Technologies. Milestone also partners with Apple, Cisco, Palo Alto Networks and others and provides various services like IT support, contact center services, and professional services.

Developing a service like this pulls together different businesses and strategies for Google in its move to diversify away from its core business as a search engine. It emphasizes its cloud-based, live video technology. It’s aimed at driving more sales of its hardware. And (potentially) it brings Google deeper into the physical retail commerce. It would be interesting to see if Google, in its growing suite of enterprise services, eventually offers some part of a service like this to other businesses.

Via: techcrunch

Hackers have stolen personal information from tens of millions of people with Anthem health insurance. The nation’s second-largest health insurer, formerly known as WellPoint, said hackers stole Social Security numbers, names, birthdates, email addresses, employment details, incomes and street addresses of people who are currently covered or had coverage in the past.

The Anthem hack adds to massive data breaches at JPMorgan, Sony Pictures, Target and Home Depot in the past 18 months. Whether shopping, banking or going to the hospital, Americans are mostly at the mercy of companies to keep their sensitive details safe. But here’s what you can do if your information was stolen.

First Things First

— Notify the credit agencies (Equifax, Experian, TransUnion) and request a 90-day credit alert. (Each reporting agency is supposed to notify the others, but you may want to contact all three yourself.) The alert tells businesses to contact you before opening any new accounts in your name. You can renew the alert every 90 days, or you’re entitled to keep it in effect for seven years if you find that your identity is stolen and file a report with police.

— You might consider asking the reporting agencies to place a full freeze on your credit. This blocks any business from checking your credit to open a new account, so it’s a stronger measure than a credit alert. BUT you should weigh that against the hassle of notifying credit agencies to lift the freeze — which can take a few days — every time you apply for a loan, open a new account or even sign up for utility service.

Be a Detective

— When your credit card bill comes, check closely for any irregularities. And don’t overlook small charges. Crooks are known to charge smaller amounts, usually under $10, to see if you notice. If you don’t, they may charge larger amounts later.

— Get a free credit report once a year from at least one of the major reporting agencies (Equifax, Experian, TransUnion), and review it for unauthorized accounts. Ignore services that charge a fee for credit reports. You can order them without charge at www.annualcreditreport.com . If you order from each agency once a year, you could effectively check your history every four months.

Do Paid Services Work?

— Some experts say there’s not much to be gained from a paid credit monitoring service. But it can’t hurt to sign up for any monitoring Anthem or any other hacked business offers for free. NOTE: These services will tell you if a new account is opened in your name, but they won’t prevent it, and many don’t check for things like bogus cellphone accounts, fraudulent applications for government benefits or claims for medical benefits. Some do offer limited insurance or help from a staffer trained to work with credit issuers and reporting agencies.

Someone Did Steal My Identity, What Do I Do?

— Contact the credit issuer to dispute fraudulent charges and have the bogus account closed.

— Request your credit report and ask the reporting agencies to remove bogus accounts or any incorrect information from your record. See tip #1 on setting up a credit alert and/or freeze.

— Submit a report through the FTC website: www.consumer.ftc.gov. Click the “privacy & identity” tab, which will walk you through creating an affidavit you can show to creditors.

— Keep copies of all reports and correspondence. Use certified mail to get delivery receipts, and keep notes on every phone call.

Avoid Additional Hacks

— After a hack, scammers may try to use the stolen data to trick you into giving up more personal information. They can use that info to steal money in your accounts or open new credit card.

— Don’t click on any links from emails. Bad software could be downloaded to your computer that can steal account passwords.

— You might get letters in the mail saying you won a tablet or vacation and give you a phone number to call. Don’t do it. It’s likely a ploy to gather more information from you.

— Hang up the phone if you get a call asking for account numbers or other information. Scammers may also send texts, so don’t click on any links from numbers you don’t know.

Via: enterprise-security-today

For those of you who, unlike me, are not in Snapchat 100 times a day, something cool happened today. Today Madonna released the world-premier of her new music video on Snapchat’s new Discover platform.

This is all part of Snapchat’s Discover world, and it’s completely different than how the platform has been used since it’s launch. Discover is media consumption on Snapchat. There are no “brand stories” any more. This is the media platform Snapchat is going with. This is how they will partner with brands. There is very little difference between this execution and Yahoo’s execution in the mid-nineties. It’s a portal to content. They have the attention and now they’re selling it back to brands.

There are a couple interesting things here. One, Madonna has historically been known as being nimble and adaptable to the times. I think that’s dropped off somewhere around 2003, but the fact that she was able to do this makes me super happy for her. In some weird way, I’ve always associated myself with Madonna. I know that sounds funny but she always adapts to the times, and I respect that.

Two, it’s a huge coup for Snapchat. The Madonna brand feels a little bit off from a Snapchat standpoint, but there is something there that everything should pay attention to, which is this: I wouldn’t say the Madonna brand is any different or more out of place than the Yahoo brand or the CNN brand that we can now find in Discover.

What I think you’re seeing from Snapchat is a very keen awareness that a lot of the people with money regard them as a “bunch of kids”. By partnering with brands like CNN and Cosmo, and Madonna, in a world where Drake, or The Biebs, or a million other people would have loved to have this spot, Snapchat is putting itself in a very smart place by aging up through the content they are providing. And that is super important for them. I’ve talked about “youthification” before, but this is… “age-up-ification”?

Whereas some may say “They’re going to alienate their base by showing this Madonna video,” I promise you that the 15-year-old girl who has never even heard of Madonna (that’s right: go look at recent conversations about Paul McCartney and Missy Elliott) is not going to all of a sudden stop using Snapchat just because Madonna is the first video they launched.

People underestimate the amazing brand equity that Snapchat has. They’re acting like a media company now, which falls in line with my belief that every business in the world is a media company. Now platforms themselves are media companies. Plus, it gives Madonna access to an audience that she has struggled with, and that’s smart on her part there too.

Via: linkedin

Werner Koch’s code powers the email encryption programs around the world. If only somebody would pay him for the work.

The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.

Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.

“I’m too idealistic,” he told me in an interview at a hacker convention in Germany in December. “In early 2013 I was really about to give it all up and take a straight job.” But then the Snowden news broke, and “I realized this was not the time to cancel.”

Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.

Now, more than a year after Snowden’s revelations, Koch is still struggling to raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He says he’s made about $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer.

The fact that so much of the Internet’s security software is underfunded is becoming increasingly problematic. Last year, in the wake of the Heartbleed bug, I wrote that while the U.S. spends more than $50 billion per year on spying and intelligence, pennies go to Internet security. The bug revealed that an encryption program used by everybody from Amazon to Twitter was maintained by just four programmers, only one of whom called it his full-time job. A group of tech companies stepped in to fund it.

Koch’s code powers most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win. “If there is one nightmare that we fear, then it’s the fact that Werner Koch is no longer available,” said Enigmail developer Nicolai Josuttis. “It’s a shame that he is alone and that he has such a bad financial situation.”

The programs are also underfunded. Enigmail is maintained by two developers in their spare time. Both have other full-time jobs. Enigmail’s lead developer, Patrick Brunschwig, told me that Enigmail receives about $1,000 a year in donations — just enough to keep the website online.

GPGTools, which allows users to encrypt email from Apple Mail, announced in October that it would start charging users a small fee. The other popular program, GPG4Win, is run by Koch himself.

Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. Prior to that, powerful computer-enabled encryption was only available to the government and large companies that could pay licensing fees. The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.

In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. “We can’t export it, but if you write it, we can import it,” he said.

Inspired, Koch decided to try. “I figured I can do it,” he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman’s free Gnu operating system.

Koch’s software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn’t subject to U.S. export restrictions.

Like many people who build security software, Koch believes that offering the underlying code for free is the best way to demonstrate that there are no hidden backdoors giving access to spy agencies or others. (Willi Nothers for ProPublica)

Koch continued to work on GPG in between consulting projects until 1999, when the German government gave him a grant to make GPG compatible with the Microsoft Windows operating system. The money allowed him to hire a programmer to maintain the software while also building the Windows version, which became GPG4Win. This remains the primary free encryption program for Windows machines.

In 2005, Koch won another contract from the German government to support the development of another email encryption method. But in 2010, the funding ran out.

For almost two years, Koch continued to pay his programmer in the hope that he could find more funding. “But nothing came,” Koch recalled. So, in August 2012, he had to let the programmer go. By summer 2013, Koch was himself ready to quit.

But after the Snowden news broke, Koch decided to launch a fundraising campaign. He set up an appeal at a crowdsourcing website, made t-shirts and stickers to give to donors, and advertised it on his website. In the end, he earned just $21,000.

The campaign gave Koch, who has an 8-year-old daughter and a wife who isn’t working, some breathing room. But when I asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. “I’m very glad that there is money for the next three months,” Koch said. “Really I am better at programming than this business stuff.”

Update, Feb. 5, 2015, 8:10 p.m.: Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation’s Core Infrastructure Initiative. Werner told us he only received permission to disclose it after the original article published. Meanwhile, since our story was posted, donations flooded Werner’s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.

Via: propublica

Apple has fixed 33 security flaws in its iOS 8, including one that reportedly kills the exploits used by TaiG Jailbreak, as part of an iOS 8.1.3 update issued late last week, according to MacRumors.

Among the fixes, the update, which is available for iPhone 4s, 5^th generation iPod touch and iPad2 (and later) devices, added path checks to fix a vulnerability (CVE-2014-4480) that would allow attackers access to protected areas of the filesystem through a malicious afc command; addressed integer (CVE-2014-4481) and buffer (CVE-2014-4483) overflow issues that could lead to app termination or arbitrary code execution when a malicious PDF is opened by improving bounds checking; and bettered segment size validation to fix a flaw (CVE-2014-4455) in the way Mach-O executable files that could let a local user execute unsigned code.

And the update included a fix for an information disclosure issue (CVE-2014-4491) in the way APIs are handled in relationship to kernel extensions where responses containing an OSBundleMachOHeaders key may have included kernel addresses, allowing hackers to bypass address space layout randomization. Apple fixed the problem by “unsliding the addresses before returning them. ”

Apple also improved filtering of URLs opened by the iTunes Store to prevent a website from getting around sandbox restrictions(CVE-2014-8840).  

The update also improved stability and performance, the release noted, including reducing the storage needed to do a software update and fixing an issue that kept some users from entering Apple ID passwords for Messages and FaceTime.

Via: scmagazine

The massive external cyber attack on Anthem that allowed attackers to gain unauthorized access to the managed health care company’s IT system and obtain personal information from millions of current and former customers and employees turns a harsh spotlight on the security of information in healthcare organizations. While details continue to emerge, here’s what we know so far about the information at risk and the company’s response from a message from Joseph Swedish, president and CEO of Anthem, and a FAQ posted to the company’s website:

• The information that was compromised includes names, dates of birth, member IDs and Social Security numbers, addresses, phone numbers, email addresses, and employment information, including income data. Unconfirmed reports indicate that the information was unencrypted.
  
• There is no evidence that payment card data and medical information, such as claims, test results, and diagnostic codes, were compromised.
  
• Anthem is working to determine exactly how many members were impacted. Anthem will notify all impacted individuals through written communications in the coming weeks, and will offer them free credit monitoring and identity theft protection services.
  
• Anthem made every effort to close the security vulnerability once the attack was discovered. Anthem is working to ensure that there is no further vulnerabilities in its database warehouses, and is taking steps to make its systems and security processes better and more secure.
  
• Anthem notified the FBI and is cooperating in an investigation, and additionally retained security firm Mandiant to evaluate its systems and identify solutions. As of the postings, the attacker has not been identified.
  
• All lines of Anthem business have been impacted, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
  

Via: scmagazine

For the first time, a medical services provider will have to pay a “neglect” settlement over Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations that led to a data breach.

Anchorage Community Mental Health Services (ACMHS) must pay $150,000 and integrate an action plan to meet HIPAA compliance after the organization had more than 2,700 individuals’ electronic health information compromised in a cyber attack, according to a bulletin on the settlement.

According to the bulletin, ACMHS informed the Office for Civil Rights (OCR) about its breach in March 2012, at which point the OCR opened an investigation into the group’s HIPAA compliance and found that the medical organization violated the “Security Rule.”

The HIPAA Security Rule requires entities who handle electronic protected health information to regularly patch systems and update their IT infrastructure. Although ACMHS had adopted the sample Security Rule policies and procedures in 2005, they were never followed. This lack of patching of IT security systems allowed malware to breach the medical organization’s systems, and, the bulletin says, prompted the settlement.

As the first major neglect settlement for violations against the Security Rule, ACMHS’ case should serve as a wake-up call to healthcare providers, said Rob Juncker, vice president of Research and Development, LANDESK, in a Wednesday interview with SCMagazine.com.

“[IT security professionals] better make sure that they’re patching and doing best practices and paying attention to anything in their network that could be considered negligence,” he said.

Many health care providers will have major hurdles to overcome when truly securing their endpoints, Juncker said. For instance, it’s common to see Windows XP, which is now out-of-support, being used. This could be a violation within itself, Juncker said.

It’s no surprise health records make for lucrative goods, as they can fetch anywhere from $10 to $20 per file, so now’s the time to ask for support to add team members and beef up security resources, Juncker said.

“Rulings like this are when you have to bring [your thoughts] to the CISOs and make sure they allocate the proper amount of help to ensure proper compliance,” he said.

Via: scmagazine