Dropbox not Suitable for HIPAA or PCI Data

Monday 7 November 2011 - Filed under Cloud Computing

It’s good to get reminders of what we hopefully all know as security professionals, that Dropbox is not a solution for PHI, PII, PCI payment card data, or confidential financial data. Read on for the full story…

Analysis: Dropbox Carries Risks For SMBs
By Edward F. Moltzen, CRN
November 04, 2011 3:50 PM ET

http://www.crn.com/news/cloud/231902380/analysis-dropbox-carries-risks-for-smbs.htm?pgno=1

Dropbox, known as a purveyor of cheap cloud storage for consumers, is now targeting small and mid-sized businesses with a new service offering. However, SMBs considering the service need to bear in mind that it lacks key compliance certifications many businesses need, potentially leaving them open to significant financial penalties.

The new Dropbox for Teams cloud storage service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law, executives and media representatives from the San Francisco-based company confirmed to CRN this week.

Failing to meet compliance requirements could carry catastrophic consequences to SMBs, including some businesses that Dropbox is targeting with its Teams cloud storage offering. Dropbox executives, though, defend the product saying customers who beta-tested it prior to launch were concerned with collaboration and ease-of-sharing, not PCI, HIPAA or SOX.

“This is not what our customers are asking about right now,” said Chenli Wang, team lead of business and sales operations for Dropbox regarding Dropbox for Teams’ lack of regulatory compliance. “But there are things we always evaluate. We are just getting started.”

Wang noted that SOX compliance is aimed at publicly traded companies, which Dropbox is not targeting with Teams. HIPAA compliance, he said, is “more complex” because “it is not just about the technology compliance, but also data access and practices. That is more around how the businesses themselves enforce policies.”

Still, Wang said, HIPAA compliance is an area that “we may potentially look at.”

With PCI compliance, Wang said, that benchmark is more directed at the storing of customer credit card and personal data and “that’s not what they’re using [Dropbox for Teams] for.”

The build out of cloud-based storage solutions, for both businesses and individual consumers, is encountering a push-pull between cost in a price-sensitive environment and need for security, privacy and regulatory compliance.

However, for many businesses, compliance could be the whole ballgame.

For example, here is what Bank of America says in an online FAQ about what happens to a business that does not comply with PCI regulations:

“If you do not comply with PCI [Data Security Standard], your business may face significant financial and reputational risks.

“If your cardholder data is compromised, you could be required to reimburse us for card brand fines ranging up to $500,000 per incident, as well as subsequent fraud losses incurred by card issuers resulting from the compromised card data, which may exceed fine amounts.”

In addition, Bank of America says, a business could have its entire account blocked for a lapse in PCI compliance. And that’s even if a business conducts fewer than 20,000 credit card transactions in a year.

With HIPAA, health care providers themselves are often small businesses with the same regulatory compliance requirements as large, multi-global health insurance companies.

Even SOX requirements could be a factor for small, privately held companies. Under the act, third-party providers of significant services to publicly traded companies — like VARs or consultants — have to maintain the same controls as the publicly traded companies themselves. So the impact of non-compliant technology in even smaller organizations could loom large.

Wang acknowledges that Dropbox does not provide any warnings for small businesses with its Dropbox for Teams service to let them know the risks of storing regulated data on its non-compliant infrastructure.

PCI compliance, Wang said, “may apply to a small subset of potential customers. For the vast majority,[the focus is on] collaboration and creative assets. We’re not talking about bank statements.”

He said that security, and functions like encryption, were in fact considered and included in the development of Teams, and customers have been happy with that. His comment comes after some customers of Dropbox’s consumer service have had security complaints.

In unrelated cases, Dropbox has been fending off customer concerns about its security for some time. Those concerns — which have led to at least two lawsuits and a complaint with the U.S. Federal Trade Commission — include the alleged access of some Dropbox employees to individual customer data, as well as a one-time glitch that allowed some customer data to be accessed even without a password. Dropbox has been defending itself vigorously against criticism of its security, however, and has not been deterred in working to expand its addressable market.

Launched primarily as a consumer-focused tool for storing a small capacity of data online, Dropbox last month disclosed that it was launching Teams for collaboration — targeted at SMBs. Dropbox for Teams, which is sold directly online, is priced at $795 per year for use by up to 5 people. Dropbox advertises Teams as providing “bank-grade” encryption, and the service allows for quick sharing of data stored in its online service — including via Apple’s iPhone.

The market for cloud-based collaboration and storage is crowded, and there are competing solutions that do provide regulatory compliance and channel support. These solutions include, for example, IBM’s IBM Lotus Connections combined with IBM Vantage.

On the issue of working through third-party solution providers, Wang said the company only sells Dropbox for Teams direct, not through a channel of solution providers

While Teams may address needs for quick, low-touch solutions for cloud-based collaboration and sharing in an organization, the unaddressed risks it brings may become an increasingly important topic of conversation for even the smallest of businesses. The sooner and more focused that conversation begins, the better.

For now, there appears to be nothing wrong with using Dropbox’s base consumer service for storing innocuous files and having access to them across platforms. Moreover, many organizations may even find Dropbox for Teams to be a solid offering that is easier to use for file sharing and storage than e-mail.

However, for others, there may be $500,000 (or more) worth of reasons to be cautious about taking the quick, cheap and easy route.

 ::  Share or discuss  ::  2011-11-07  ::  Joshua

Facebook Allows your Friends to Reset your Password

Monday 31 October 2011 - Filed under Uncategorized

Facebook receives an ungodly amount of calls and emails from users who have been locked out of their accounts. In response, Facebook now allows you to designate “trusted friends” that can help you reset your password through codes sent to their account. This ushers in a new breed of possible social engineering tactics, no longer relying solely on the security mindedness of the end user. While most Facebook users will not be worth a hacker’s time, high value targets should make sure to choose trusted, and security conscious, friends carefully. This is also true should you simultaneously offend all of your trusted friends at one time, as they could pool their resources to take control of your Facebook and enact revenge. Read on for the full story…

Facebook adds ‘trusted friends’ and app-specific passwords
By Rosa Golijan

http://technolog.msnbc.msn.com/_news/2011/10/27/8508512-facebook-adds-trusted-friends-and-app-specific-passwords

In honor of National Cybersecurity Awareness Month, Facebook reminds its users of existing security techniques and tools — and adds some new features which will supposedly keep you more secure on the social network.

A blog post by Facebook’s security team — yes, there really are teams dedicated to such things at the company — explains that two new features are being added to users’ account settings: Trusted friends and app passwords.

The first of these two features — trusted friends — is intended to help you access your account if you are ever locked out of it for some reason:

Trusted Friends will let you select three to five trusted friends who can help you if you ever have issues accessing your account. [Facebook will] send codes to the friends you have selected, then you can log back into your account using these codes after your friends have passed them along to you.

Now while this feature sounds great in theory, there’s also potential for abuse. Your supposedly trustworthy friends could easily request the reset codes on your behalf and then share them among each other in order to have all the information necessary to kidnap your account for some sort of nefarious (or hilarious) purpose.

In other words: Be very, very careful when it comes to selecting guardians for your Facebook account.

National Cybersecurity Awareness Month Updates
by Facebook Security

https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-month-updates/10150335022240766

The other new feature — app passwords — is supposed to help keep your Facebook account safer by providing you with a unique password to use with apps. You’ll generate these app-specific passwords by as necessary and simply enter them in place of your regular password when using third-party apps such as Spotify, Skype, and so on. You will be able to forbid a specific app from accessing your account by simply deleting the password you’ve generated for it at any time.

Security and safety are at the core of Facebook. We have entire teams dedicated to building tools that give people even more control over their account and specifically the way they access their information. In fact, many of our most talented engineers are working exclusively on creating a secure environment on Facebook. This October, as part of National Cybersecurity Awareness Month, we are working with others in the community to help educate people about techniques and tools for securing your devices and networks. Additionally, we thought this would be a great opportunity to tell you about some of the systems working behind the scenes to keep you and your data safe.

Today, we wanted to give you an update on some new features we will be testing in the coming weeks – Trusted Friends and App Passwords – and remind you of the many user tools we offer to help keep you secure on Facebook.

We’re excited to begin testing this new tool to help you in case you ever get locked out of your account. Similar to other features that help you prove your identity through your friends, you can now select three to five trusted friends who can help you if you ever have issues accessing your account. It’s sort of similar to giving a house key to your friends when you go on vacation–pick the friends you most trust in case you need their help.

If you forgot your password and need to login but can’t access your email account, you can rely on your friends to help you get back in. We will send codes to the friends you have selected and they can pass along that information to you.

App Passwords

There are tons of applications you can use by logging in with your Facebook credentials. However, in some cases, you may want to have a unique password for that application. This is especially helpful if you have opted into Login Approvals, for which security codes don’t always work when using third party applications.

We are testing a feature that allows you to use app passwords for logging into third party applications. Simply go to your Account Settings, then the Security tab, and finally to the App Passwords section. You can generate a password that you won’t need to remember, just enter it along with your email when logging into an application.

Over the past few years we have introduced a number of new security tools – Login Approvals, Login Notifications, and One Time Passwords to name a few. In addition, we have developed several back-end systems to help keep you and your data secure. To better illustrate the full range of these features and show how they all work together to keep you safe while on Facebook we are releasing this infographic. Check it out to learn more about our security infrastructure and an overview of the tools available to all our users to increase their level of account security.

Our considerable work has undoubtedly made Facebook a safer environment – less than half a percent of users experience spam on any given day and only a fraction of a percent of our users ever experience any security-related issues. But we know there is plenty of more work to be done and we will keep striving to make sure that every time you log in to Facebook, you have a safe and social experience. We are adapting and responding to new threats everyday and will continue to roll out new ways to protect your account. Be on the lookout for more announcements throughout the rest of this year, and remember to stay vigilant while online and remind others to do the same.

 ::  Share or discuss  ::  2011-10-31  ::  Joshua

US Government Satellites Hacked

Thursday 27 October 2011 - Filed under cybercrime

On the heels of the news that US Predator drones control stations were infected with malicious code, comes news that hackers managed to successfully penetrate US government defenses and gain operational control of two satellites, the Nandsat 7 and Terra AM-1. No major conclusions can be drawn from the limited information, but the upcoming report from the U.S.-China Economic and Security Review Commission should shed some light onto just how concerned we should be. Read on for the summary from Net-Security.org…

Hackers attacked U.S. government satellites

http://www.net-security.org/secworld.php?id=11853

Two U.S. satellites have been tampered with by hackers – possibly Chinese ones – in 2007 and 2008, claims a soon-to-be released report by the U.S.-China Economic and Security Review Commission.

The two satellites, Landsat-7 and Terra AM-1, had been interfered with on four separate occasions, allowing the attackers to be in command of the satellites for two to over twelve minutes each time.

Luckily, both of the satellites are used only for observing the Earth’s climate and terrain, and the hackers never actually misused their control over them in any way. But the compromises have definitely been taken very seriously, since future targets could include satellites with more sensitive functions, such as those used by the U.S. military and the various intelligence agencies for reconnaissance and communication.

According to Bloomberg, the report does not indicate whether the hackers behind the intrusions were state-sponsored or not, but it implies that the nature of the attacks and the targets seem to be consistent with Chinese military plans in case of open war, which include the disabling the enemy’s space systems and the ground infrastructure through which they are controlled.

According to the report, the control that the hackers had over the two satellites for those brief periods permitted them to damage or destroy them, or to block or falsify their transmission.

Since the satellites are controlled from the Svalbard Satellite Station in Norway which often uses the Internet to transfer and access files, it is deemed highly likely that the hackers have managed to insinuate themselves into the station’s system through its Internet connection.

 ::  Share or discuss  ::  2011-10-27  ::  Joshua

Taking your Browser to the Cloud, the Next Evolution in Cloud Computing

Monday 17 October 2011 - Filed under Uncategorized

As scary as it seems, this is the future of mobile browsing. Add to the fact that where there is user tracking data to be collected, network providers have never been bashful about using this data to line their pockets. Hopefully, there will be enough media coverage to work out the information security and privacy concerns before we see the userbase grow too far. Read on for the summary on Amazons blog, and let me know what you think about this in the comments…

Introducing Amazon Silk
September 28, 2011 by The Amazon Silk Team

http://amazonsilk.wordpress.com/2011/09/28/introducing-amazon-silk/

Congress is trying to wrap its collective head around Amazon’s new Silk Web browser. At a privacy hearing yesterday, Rep. Joe Barton (R-TX) expressed outrage at the way Silk’s ‘split’ design can funnel all user browsing data through Amazon’s backend servers. ‘My staff yesterday told me that one of our leading Internet companies, Amazon, is going to create their own server and their own system and they’re going to force everybody that uses Amazon to go through their server and they’re going to collect all this information on each person who does that without that person’s knowledge. Enough is enough.’ Today came a similar shot from the other side of the aisle, with Rep. Ed Markey (D-MA) dashing off a letter (PDF) to Amazon CEO Jeff Bezos about the same privacy concerns. ‘Consumers may buy the new Kindle Fire to read 1984, but they may not realize that the tablet’s “Big Browser” may be watching their every keystroke when they are online,’ Markey said in a statement.

Today in New York, Amazon introduced Silk, an all-new web browser powered by Amazon Web Services (AWS) and available exclusively on the just announced Kindle Fire. You might be asking, “A browser? Do we really need another one?” As you’ll see in the video below, Silk isn’t just another browser. We sought from the start to tap into the power and capabilities of the AWS infrastructure to overcome the limitations of typical mobile browsers. Instead of a device-siloed software application, Amazon Silk deploys a split-architecture. All of the browser subsystems are present on your Kindle Fire as well as on the AWS cloud computing platform. Each time you load a web page, Silk makes a dynamic decision about which of these subsystems will run locally and which will execute remotely. In short, Amazon Silk extends the boundaries of the browser, coupling the capabilities and interactivity of your local device with the massive computing power, memory, and network connectivity of our cloud.

 ::  Share or discuss  ::  2011-10-17  ::  Joshua

Dual-Mode Android Separates Your Personal Data from Your Work Data

Friday 14 October 2011 - Filed under New Technology

I cringe every time I connect my new Android devices to a corporate network, and have to accept the horrifying Terms of Service. Enterprise activation, required by most corporations exchange servers for using the built-in email application, allows an employer to wipe my device remotely, among many other scary things. This dual mode Android ability seems like the logical evolution of the new smart phone reality, that my phone is for business and pleasure… and I don’t trust my employer touching my personal data. Read on for the scoop from technologyreview.com.

One Smart Phone, Two Personalities
Thursday, October 13, 2011
By Tom Simonite

AT&T, the second largest wireless carrier in the U.S., and Qualcomm, which dominates the market for smart-phone processors, want to give your phone a split identity. The companies are separately adopting technology that can make a smart phone secure enough to keep IT bosses happy, but open enough to allow its owner to install apps or surf the Web.

AT&T will release its version of the technology, called Toggle, for Android phones this year. Someone using a device with Toggle installed taps the home button twice to flip between personal and work modes. The personal mode behaves like a regular phone and is fully under the user’s control. The work mode looks like a separate phone with its own desktop and suite of apps and is secured by a password. Its functionality is constrained by a company’s IT policy; all data stored or created under the work mode, whether e-mail, contacts, or Web downloads, is encrypted and can be remotely wiped if a phone is lost or stolen.

“People want to use their own smart phones and tablets for work, but that practice can create major headaches for businesses’ IT departments,” says Chris Hill, part of AT&T’s Advanced Mobility Solutions group. “Toggle helps resolve the issue in a simple, affordable manner.”

The smart phone boom triggered by Apple’s iPhone has caused a sharp increase in the number of people using personal mobile gadgets at work, a phenomenon sometimes referred to as Bring Your Own Device, or BYOD. Newer devices made the standard-issue corporate BlackBerry look clunky, and come with apps that can aid productivity.

AT&T’s Toggle is a rebranding of technology developed by Enterproid, a startup based in New York, which launched the technology in a closed beta trial earlier this year. Enterproid is also continuing to develop its own product, says cofounder Alexander Trewby. Android users can sign up to use Enterproid, which is currently free, here.

Trewby and colleagues are also working with chipmaker Qualcomm, which has made changes to forthcoming phone and tablet processor designs to better support Enterproid’s approach. “We will be integrated with their Snapdragon line of processors so we can store the encryption keys that secure our data in the silicon,” explains Trewby. That addresses a vulnerability where data could be stolen from a phone in work mode if an attacker gained root access to a phone and extracted Enterproid or Toggle encryption keys that are currently stored in the phone’s memory. Storing those keys in a device’s processor instead makes such an attack much more difficult, says Trewby, who notes it is even enough to satisfy military organizations.

Activating work mode on a device running Toggle or Enterproid allows access to a suite of basic apps for e-mail, Web browsing, and content management. Enterproid plans to launch its own app store to allow IT managers to remotely install apps on employees’ phones. Trewby and colleagues also hope to encourage developers to contribute apps. “We’re providing the platform for third-party developers, and they will be able to inherit our encryption and security into their own app.”

The fact that two companies as influential as AT&T and Qualcomm are backing Enterproid’s technology makes it possible that such a feature will become common for many smart phones and tablets. However, the approach will not work for the iPhone or iPad, which do not allow one app to run inside another. Apple also has tight guidelines for apps that rule out replicating Apple’s default interface.

Trewby says Enterproid has a good relationship with Apple, and he hopes that in the future, the company will allow a dual-persona system. But for the moment, Enterproid is working on a more basic iPhone app that keeps a work contact list secure.

“We’re seeing demand for a dual mode on iPhone, though, and our existing users on Android really like this approach,” says Trewby, adding that an application for hacked iPads, called iUser, implemented such a system and “got great response.”

Mike Sapien of the analyst firm Ovum says the Bring Your Own Device problem is serious enough to attract Apple’s attention. His company’s research suggests that 35 percent of people currently use a personal device for work data. Sapien says the number is likely higher because many people do so against company policy.

“I think it’s a big enough trend that Apple will find its own solution for this, probably with some key partners,” says Sapien, who notes that Enterproid could give Android phones a competitive advantage over Apple devices in the eyes of some consumers and company IT managers.

 ::  Share or discuss  ::  2011-10-14  ::  Joshua

100 Hackers Hired to Test 2012 Olympics Information Security

Tuesday 11 October 2011 - Filed under cybercrime

On the surface it appears that the brains behind the London Olympics are taking information security considerations seriously for the 2012 games. They have hired 100 pen testers to simulate a range of attacks on the 2012 Olympic games such as various DDoS and virus attacks, in order to ensure that they are protected from cyber attack during the games. Let’s hope that they included the most dangerous of them all in their testing, social engineering. Read on for the full story from Sophos…

London Olympic Games to simulate cyber-attacks
by Graham Cluley on October 11, 2011 | Sophos.com

The London 2012 Olympic Games will open in nine months’ time, and – away from the glories anticipated on the track and field – consideration is being made about how to defend the world’s leading sporting event from cyber-attack.

The Olympics’ Technology Operations Centre (TOC), located in Canary Wharf, was opened to the media yesterday. During the games, hundreds of staff will work at the centre, providing 24×7 monitoring of the Games’ technology infrastructure, including IT security.

London Olympics 2012 Technology Operations Centre

It was reported that the 2008 Beijing Olympics were on the receiving end of 12 million online attacks per day.

Of course, internet attacks come in all shapes and sizes, and some can be deflected very easily – so the large number of attacks at the last Olympic Games is not necessarily a cause for concern by itself.

Nevertheless, the rise of hacktivism and “doing it for the lulz” raises the specter of a larger number of individuals thinking it might be cool to interfere with the enjoyment of sports-lovers.

Possible threats which could disrupt the Olympic Games include denial-of-service attacks against official websites and malware infections.

London 2012Gerry Pennell, chief information officer for London 2012, has said that a key principle will be to “keep mission-critical games systems quite isolated from anything web-facing. So very much partitioned and separated, thus making it hard for an external attack to succeed.”

Well, that sounds sensible – but there’s nothing quite like testing the theory. And with that in mind, the computer systems behind the London Olympics will suffer simulated internet attacks in March and May, just months before the Games begin, to test that they can withstand a massive denial of service or a malware outbreak on internal systems.

“We simulate past competitions and we have a shadow team of about 100 people coming and creating problems – injecting viruses, disconnecting PC servers,” Patrick Adiba from Atos, the Olympics IT supplier, told the BBC. “We are using a simulation system so it doesn’t really matter if we corrupt the data. We simulate the effect and see how people react.”

Computer security is a very real issue for organizers of major sporting events, and there have been problems in the past.

For instance, in 2003 the Pan American Games held in the Dominican Republic were impacted by a computer virus that interfered with the results service. Media representatives around the world were unable to access the latest scores and results from competitions as the computer system was brought down.

Unless properly defended against, a group wishing to make a political point might find it all-too-tempting to launch an attack against Olympic servers or inject malware into a vulnerable website.

It’s good to see the London Olympics preparing for the worst case scenario, and we all hope that when the Games do open on 27 July 2012 they will do so without a hitch.

 ::  Share or discuss  ::  2011-10-11  ::  Joshua

US Air Force has Predator Drone Control System Infected

Monday 10 October 2011 - Filed under cybercrime + Information Leak

With the news of the USAF predator drone virus infection comes growing public concerns that the military is failing to provide adequate information security protections from  malicious attackers. Hopefully, an air gap is being implemented which prevented this infection from sending its payload “home”, wherever that may be.

Unfortunately, knowing the scale of the US military and the fact that there is no patch for human stupidity, I can say with confidence that events of this magnitude happen far more frequently than the public knows. What makes this event special is that someone (who I am sure received a severe tongue lashing if not termination) leaked this information to a reporter.

While this news story should raise the public’s awareness of the vulnerability to a US cyber-attack from foreign sources, there are much larger threats to the nation, largely from public industry. Frighteningly, the same SCADA vulnerabilities that caused an Iranian nuclear reactor to spin out of control are present in every component of American infrastructure. For more information on the need to protect our Infrastructure, you can visit the FBI’s InfraGard website and even join as a member to receive the latest updates and participate in the discussion. Read on to get the summary from Sophos…

Malware compromises USAF Predator drone computer systems
by Graham Cluley on October 10, 2011 | sophos.com

According to a Wired report, malware has infected the control systems used by the United States Air Force to fly Predator and Reaper drones, logging key presses as the unmanned aircraft are flown remotely in Afghanistan, Libya, Pakistan and other conflict zones.

The malware intrusion is said to have been detected by the Department of Defense’s own Host Based Security System (HBSS), but attempts to permanently remove the infection from one of America’s most important weapons systems have proven unsuccessful.

Inevitably there has been some concern in the media that malware could interfere with the flight of drones that are not just capable of surveillance, but can also carry deadly missiles to remote targets.

Questions are understandably being asked as to whether a remote hacker could interfere with the drones mid-flight, or send information to a third party about the drone’s whereabouts or intended target.

Wired quotes an unnamed source familiar with the infection as saying:

“We keep wiping it off, and it keeps coming back… We think it’s benign. But we just don’t know.”

Hmm.. If I “just didn’t know” I would assume the worst. In computer security, it’s always safest to assume the worst possible scenario has happened and take the necessary steps until you have proven that it hasn’t, rather than assume everything is ticketyboo.

US Air Force Chances are that the malware is a common-or-garden key logging Trojan horse designed to steal banking information rather than targeting the USAF. But if they are having problems keeping their systems malware-free, and have not identified the infection accurately, they should presume that it is more serious instead.

Predator and Reaper crews fly their drones remotely from an airforce base in Creech, Nevada. The computer systems used to control the weapons are supposedly not connected to the public internet – to reduce the chances of malware infection.

However, any IT administrator will know that simply disconnecting a computer from the internet does not make it 100% safe. Malware can be introduced via other means, such as a USB memory stick, as astronauts on the International Space Station discovered in 2008.

And that seems to me to the most likely vector (USB memory stick I mean, not outer space..) by which malware could have infected the drone computers, as it’s known that drone pilots use memory sticks to upload terrain maps and mission videos.

 ::  Share or discuss  ::  2011-10-10  ::  Joshua

Half of WikiLeaks sourced from P2P

Saturday 29 January 2011 - Filed under Information Leak

As if we didn’t need anymore evidence to support the blocking of p2p in the enterprise.

Have an opinion? Let me know in the comments.

Story from eweek.com:

As much as half of the secret documents posted by WikiLeaks may have been siphoned from peer-to-peer users who incorrectly configured their file-sharing software, according to evidence gathered by a security firm.

Allegations against WikiLeaks have spotlighted a key avenue for data leaks: peer-to-peer (P2P) networks.

According to Tiversa, which specializes in monitoring P2P networks, WikiLeaks has mined popular applications such as Kazaa and LimeWire for data in the past—despite statements from WikiLeaks that it does not actively search for information. As an example, Tiversa contends that on Feb. 7, 2009, it detected four machines in Sweden searching and downloading information via P2P.

Those searches ultimately led to a computer in Hawaii with a survey of the Pentagon’s Pacific Missile Range Facility there, Bloomberg News reported. Tiversa reportedly captured the download of the PDF file by one of the Swedish computers. According to Bloomberg News, the document exposed details of infrastructure changes involved in adding a new sensor system. The document was reportedly renamed and posted on WikiLeaks in April 2009.

There were other examples as well, such as Army intelligence documents posted by WikiLeaks in 2009 that were exposed to searching on P2P networks in September 2008. Then there was a spreadsheet posted by WikiLeaks in late 2009 detailing potential targets of terrorism in Fresno County, Calif. The document was reportedly exposed accidentally by a California state employee in August 2008.

WikiLeaks denied Tiversa’s claims in an e-mail to Bloomberg News. Regardless, this was hardly the first time P2P networks were found to be home to sensitive information. In February 2010, the U.S. Federal Trade Commission notified nearly 100 organizations that personal information, including customer and employee data, had been shared from the organizations’ computer networks and was available on P2P file-sharing networks.

“The massive exposure of sensitive data on P2P networks is not a new issue; however, the awareness of its breadth is,” said Scott Harrer, brand director at Tiversa.

Organizations of every size need to be diligent about file-sharing use, he said, adding that large brands with armies of suppliers or a dispersed workforce need to have proactive tools in place to detect and mitigate data loss via P2P.

“Over 90 percent of the data disclosures that we see on P2P emanate from suppliers, partners and remote employees,” he said.

Some organizations look to data leak prevention (DLP) technologies to solve the problem.

“Historically, the way to deal with protecting against data leaks over P2P was simply to shut it down with old-style application control products,” said Robert Hamilton, senior product marketing manager for DLP at Symantec. “Now, with the consumerization of IT and the blending of work and personal life, it has become harder to simply turn off P2P. Increasingly, people are expecting and asking for access to P2P applications and are using them on personal time. So the new goal is to allow employees to use the P2P applications, just not with confidential data.”

There is however no shortage of organizations willing to ignore the issue of insider data loss or theft, said Mike Spinney, a senior privacy analyst at the Ponemon Institute.

“The focus is too much on technology and not enough on people,” he said. “In 2009 we did a study on data loss that occurs, for example, when employees are fired, laid off or voluntarily change jobs. It was very high. Fifty-nine percent of those with whom we spoke said they took information with them when they left a job.

“Granted, some people will do this anyway—they will regard proprietary information as their parting gifts—but for most people it wasn’t a malicious act but simple ignorance,” he continued. “They weren’t aware of any policy forbidding them from taking the information, and they felt entitled because they had a role in creating it. So, I can’t stress enough the importance of creating meaningful use and governance policies, communicating the policies effectively across all corporate strata, and enforcing the policies.”

Story from from eweek.com
http://www.eweek.com/c/a/Security/WikiLeaks-P2P-Searching-Claims-Highlight-Filesharing-Security-Risks227943/

 ::  Share or discuss  ::  2011-01-29  ::  Joshua

Why Should I Care About HTTPS on Facebook?

Thursday 27 January 2011 - Filed under Social Media

A interesting article covering a 30-second idiots-guide style primer to the benefits of HTTPS.

Have an opinion? Let me know in the comments.

From Lifehacker.com:

HTTPS is a significantly more secure version of HTTP, which is the protocol you generally use to load up your webpages (whether you’re aware of it or not). HTTP stands for Hypertext Transfer Protocol, so HTTPS stands for the same thing but with Secure on the end of it. This is because, as Wikipedia will tell you, HTTPS is “a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server.”

Why You Should Care

So yeah, you get it: HTTPS provides additional security, but what does that actually mean when you’re browsing the web every day? It basically means you’re protecting your private information from people who want to steal it using readily available tools like Firesheep. Why Should I Care About HTTPS on Facebook (or Other Web Sites)?It means when you enter your password or your phone number or anything personal on Facebook—or any other site offering HTTPS—that data will be encrypted as it flies through the great tubes of the internet.

Think of it like this: you’re having a private conversation with your new boyfriend or girlfriend, and your ex—unbeknownst to you—is a few tables over listening to every word. That’s the sort of risk HTTP poses, whereas HTTPS would be more like if you and your new romantic interest were speaking a new language that only the two of you understood. To your stalker of an ex, this information would sound like gibberish and s/he wouldn’t get any value from listening if s/he tried. HTTPS is a way for you to exchange information with a web site securely so you don’t have to worry about anyone trying to listen in.

Okay, I Want HTTPS Right Now!

Good choice! Enabling HTTPS in Facebook is very easy. Just visit your Account Settings page, select Account Security (it’s the third option from the bottom), and you’ll find a checkbox to enable HTTPS under the Secure Browsing header. That’s all you have to do. NOTE: This feature hasn’t been rolled out to all accounts and so it may not be available to you yet. We’re told it’s going to take a few weeks, so you should have it by mid-February at the latest.

Why Should I Care About HTTPS on Facebook (or Other Web Sites)?What about everywhere else? Well, HTTPS is enabled by default on most sites that take sensitive information like your credit card number so you’re generally good to go when buying online. Every browser has its own way of representing whether a site is secure, but generally you’ll see a lock icon in your browser’s address bar. There are varying degrees of security, however, since sometimes emails have attachments coming from insecure sites (more info on that here). If you want HTTPS everywhere, the Electronic Frontier Foundation’s (EFF) aptly named HTTPS Everywhere is a Firefox extension to provide that functionality. They also recommend KB SSL Enforcer for Chrome users, but have found that it isn’t implemented as securely (which could be a limitation of the Chrome extension framework).

So that’s HTTPS in a nutshell and why you should start using it as much as possible. Hope that helps!

Story from Lifehacker.com

http://lifehacker.com/5745086/why-should-i-care-about-https-on-facebook-or-other-web-sites

HTTPS is a significantly more secure version of HTTP, which is the protocol you generally use to load up your webpages (whether you’re aware of it or not). HTTP stands for Hypertext Transfer Protocol, so HTTPS stands for the same thing but with Secure on the end of it. This is because, as Wikipedia will tell you, HTTPS is “a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server.”

Why You Should Care

So yeah, you get it: HTTPS provides additional security, but what does that actually mean when you’re browsing the web every day? It basically means you’re protecting your private information from people who want to steal it using readily availably tools like Firesheep. Why Should I Care About HTTPS on Facebook (or Other Web Sites)?It means when you enter your password or your phone number or anything personal on Facebook—or any other site offering HTTPS—that data will be encrypted as it flies through the great tubes of the internet.

Think of it like this: you’re having a private conversation with your new boyfriend or girlfriend, and your ex—unbeknownst to you—is a few tables over listening to every word. That’s the sort of risk HTTP poses, whereas HTTPS would be more like if you and your new romantic interest were speaking a new language that only the two of you understood. To your stalker of an ex, this information would sound like gibberish and s/he wouldn’t get any value from listening if s/he tried. HTTPS is a way for you to exchange information with a web site securely so you don’t have to worry about anyone trying to listen in.

Okay, I Want HTTPS Right Now!

Good choice! Enabling HTTPS in Facebook is very easy. Just visit your Account Settings page, select Account Security (it’s the third option from the bottom), and you’ll find a checkbox to enable HTTPS under the Secure Browsing header. That’s all you have to do. NOTE: This feature hasn’t been rolled out to all accounts and so it may not be available to you yet. We’re told it’s going to take a few weeks, so you should have it by mid-February at the latest.

What about everywhere else? Well, HTTPS is enabled by default on most sites that take sensitive information like your credit card number so you’re generally good to go when buying online. Every browser has its own way of representing whether a site is secure, but generally you’ll see a lock icon in your browser’s address bar. There are varying degrees of security, however, since sometimes emails have attachments coming from insecure sites (more info on that here). If you want HTTPS everywhere, the Electronic Frontier Foundation’s (EFF) aptly named HTTPS Everywhere is a Firefox extension to provide that functionality.

So that’s HTTPS in a nutshell and why you should start using it as much as possible. Hope that helps!

From Lifehacker.com

http://lifehacker.com/5745086/why-should-i-care-about-https-on-facebook-or-other-web-sites



1 comment  ::  Share or discuss  ::  2011-01-27  ::  Joshua

Last Decade’s 10 Most Dastardly Cybercrimes

Tuesday 18 January 2011 - Filed under cybercrime

Looks like this decade has alot to live up to.

Have an opinion? Let me know in the comments.

Story from wired.com:

“It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium.

2000

MafiaBoy

Once upon a time, “distributed denial of service attacks” were just a way for quarreling hackers to knock each other out of IRC. Then one day in February 2000, a 15-year-old Canadian named Michael “MafiaBoy” Calce experimentally programmed his botnet to hose down the highest traffic websites he could find. CNN, Yahoo, Amazon, eBay, Dell and eTrade all buckled under the deluge, leading to national headlines and an emergency meeting of security experts at the White House.

Compared to modern DDoS attacks, MafiaBoy’s was trivial. But his was the cyberstrike that put the internet’s security issues on a national stage, and inaugurated an era where any pissed off script kiddy could take down part of the web at will.

2002

California Payroll Database Breach

On April 5, 2002, an unidentified hacker penetrated a California server housing the state government’s payroll database, gaining access to names, Social Security numbers and salary information for 265,000 state workers from the governor on down. The breach itself was small potatoes, but when it emerged that the California Controller’s Office had waited two weeks to warn the victims, angry lawmakers reacted by passing the nation’s first breach disclosure law, SB1386.

The law requires hacked organizations to promptly warn potential identity theft victims. Its passage pulled the rock off the string of major corporate breaches that companies would have preferred to hush up. Today, 45 states have enacted similar laws.

2003

Slammer

In 2003, fear came in 376 bytes. The lightning-fast Slammer worm targeted a hole in Microsoft’s SQL server, and despite striking six months after a fix was released, the malware cracked an estimated 75,000 unpatched servers in the space of hours. Bank of America and Washington Mutual ATM networks ground to a halt. Continental Airlines delayed and canceled flights when its ticketing system got gummed up. Seattle lost its emergency 911 network, and a nuclear power plant in Ohio lost a safety monitoring system.

Slammer wasn’t the biggest worm ever, but in its aggressive, relentless spread, it exposed the secret interconnections that corporations were foolishly allowing between important private networks and the public internet.

2004

Foonet

Years before there was a Russian Business Network, a small ISP hosted in a suburban basement in Ohio gained the dubious reputation as the first black-hat hosting company. It was a safe spot for hackers and packet monkeys to attack an unsuspecting internet. Foonet’s hosted clients included Carder Planet — the dedicated “carder forum” for credit card hackers — and its IRC servers were where legendary German hacker Axel “Ago” Gembe controlled his Agobot network of compromised Windows boxes.

After two FBI raids, in 2004, Foonet’s founder and some of the staff were indicted for a DDoS-for-hire scheme that collaterally slammed Amazon.com and the Department of Homeland Security. Foonet’s owner, Saad Echouafni, skipped out on $750,000 to flee the country, and remains on the FBI’s wanted list today.

2006

The Los Angeles Traffic Signal Attack

When Los Angeles traffic engineers went on strike in August 2006, the city decided not to take any chances: They temporarily blocked most access to the computer that controls 3,200 traffic signals throughout the City of Angels. Two of the striking engineers hacked in anyway. From a laptop, Kartik Patel and Gabriel Murillo picked four key intersections and changed the timing on the traffic signals so the most congested approach would hit long red lights.

The timing tweaks wreaked havoc in a city already flirting with gridlock, according to the Los Angeles Times, snarling traffic at the Los Angeles International Airport, backing up the Glendale Freeway and paralyzing Little Tokyo and the streets of the downtown Civic Center. It evidently took several days for managers to figure out what was going on.

In December 2009, the engineers were sentenced to probation.

2006

Max Vision

In 2006, a former computer security researcher turned professional black hat weighed and measured the computer underground, and found it wanting. So in a two-night hackfest from his San Francisco safe house, Max Vision (aka Iceman) trained his guns on the online carder forums where hackers and fraudsters buy and sell stolen data, fake IDs and specialized underground services.

When he was done hacking in and wiping out their databases, he absorbed their content and membership into his own site, CardersMarket, turning it into the largest English-speaking criminal marketplace on the web — 6,000 members strong. The hostile takeover got the attention of the feds who’d thoroughly infiltrated some of the sites he hacked, and a year later FBI and Secret Service tracked Iceman to his hideout. He’s now awaiting sentencing for stealing 2 million credit cards that rang up $86 million in fraudulent charges.

2008

RBS Worldpay Heist

The first time we learned that the payment processor RBS Worldpay had been hacked, it sounded like no big deal: The company announced in December 2008 that it had seen fraud on only 100 of the 1.5 million payroll and gift card accounts compromised in the breach. But it turns out the hackers were able to raise the withdrawal limits on 44 of those cards to as high as $500,000. Then they dispatched a global army of cashers to slam the accounts with repeated rapid-fire withdrawals.

More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8, 2008, resulting in a one-day haul of $9.5 million in cold, hard cash. In November, the United States indicted four of the alleged ringleaders, who are in Estonia, Russia and Moldova. Good luck with that.

2005 – 2008

Albert Gonzalez

He called it “Operation Get Rich or Die Tryin’.” For nearly four years ending in 2008, 28-year-old Albert “Segvec” Gonzalez and his accomplices in America and Russia staged the biggest data thefts in history, stealing credit and debit card magstripe data for sale on the black market. Using Wi-Fi hacking and SQL injection, the gang popped companies like 7-Eleven, Dave & Buster’s, Office Max, TJX, and the credit card processor Heartland Payment Systems, which alone gave up 130 million cards.

The intrusions didn’t just make Gonzalez a millionaire — he buried $1.1 million in his parents’ backyard — they exposed slipshod security in America’s card-processing infrastructure, and positioned the former Secret Service informant to break a new record: longest U.S. prison term for hacking. His plea agreements envision a 17- to 25-year sentence. It could be worse. One of Gonzalez’s overseas accomplices got 30 years in a Turkish prison.

2009

Conficker

Bots were probably the biggest black-hat innovation of the decade, and the biggest and best was Conficker. From the start, the Conficker botnet had a trouble managing expectations. But just because the worm didn’t destroy the internet, as predicted by the mainstream press, doesn’t mean it wasn’t an impressive achievement.

Packing state-of-the-art encryption, and sophisticated peer-to-peer update mechanism, Conficker tantalized security researchers and resisted attempts at eradication, inhabiting at its peak as many as 15 million unpatched Windows boxes, mostly in China and Brazil.

Experts think it’s the work of an organized team of coders, and there are hints that it originated in Ukraine. And like most of the hacking out of Eastern Europe, the software has a profit motive: It’s been seen sending spam, and serving victims a fake anti-virus product that offers to remove malware for $49.95. Dude. It used to be about the mayhem.

2009

Money Mules

Another innovation from the former Soviet empire were the so-called “money mule” scams that emerged in 2009. Using specialized Trojan horses like Zeus and URLZone, the perps target small businesses that use online banking, stealing the victim’s credentials and initiating wire transfers from their accounts, usually totaling tens or hundreds of thousands of dollars.

In some cases, the Trojan horse even covers up the crime by rewriting the victim’s online bank statement on the fly; other times, the hacker just wipes the hard drive to keep the target off the internet for a while. The stolen money goes to mules that’ve been recruited through bogus work-at-home offers, and whose job it is to withdraw the cash and send the bulk of it to the scammers via Moneygram. It’s the perfect crime; one the FBI says has racked up $100 million in thefts, and counting.”

Story from from wired.com
http://www.wired.com/threatlevel/2009/12/ye_cybercrimes/#previousa1019a208da4f98baff5e71eb20cbd6d

 ::  Share or discuss  ::  2011-01-18  ::  Joshua