9 C
Wednesday, September 20, 2017

Comixology users must change passwords after data breach

The digital comics marketplace says it was hit by a security breach that targeted a database of usernames, e-mail addresses, and encrypted passwords. March 6, 2014 6:46 AM PST (Credit: Screenshot by Lance Whitney/CNET) Digital comic readers with...

End of Windows XP support leaving organisations ‘asleep at the wheel’...

Organisations that haven't updated their operating systems by the time Microsoft ends support for Windows XP on 8 April will be left open to attacks from hackers and cyber criminals, consultancy firm EY has warned. As of next month Microsoft will no l...

BYOD, Cloud Add to Data Security, Worries: SailPoint

The vast majority of respondents (82 percent) said they allow employees to use their personal devices to access company data or applications at work. While global enterprises are embracing, and in some instances mandating, the use of cloud and mobile technologies, they do not have IT controls in place to properly manage them, according to SailPoint’s annual Market Pulse Survey, which measures IT leaders' attitudes toward identity and risk management. The study, which indicates whether companies are effectively governing access to key data as new technologies take hold in the enterprise, found that without the proper preventive and detective controls, those enterprises are ultimately putting themselves at an increased risk of fraud, theft and privacy breaches. The vast majority of respondents (82 percent) said they allow employees to use their personal devices to access company data or applications at work. However, cloud and bring-your-own-device (BYOD) trends are glaringly absent from most companies' security programs. In fact, as many as 41 percent of respondents admitted to an inability to manage cloud and BYOD as part of their identity and access management strategy. Exacerbating the problem is the fact that less than half the respondents have a process in place to automatically remove mission-critical data from mobile devices, while 46 percent of respondents are not even confident in their ability to grant or revoke employee access to applications across their entire IT environment. Because of the lack of visibility, 52 percent of respondents admit that employees have read or seen company documents that they should not have had access to, and 51 percent believe that it's just a matter of time before a security breach occurs. The report also found 63 percent of enterprises now require IT decision makers to evaluate cloud applications as part of every software procurement process.

Already, 39 percent of mission-critical applications are currently stored in the cloud, which will increase to 59 percent by 2016. An inability to get the whole picture across all systems (45 percent), over-reliance on IT support (43 percent) and an inability to manage new technologies (40 percent) are all significant challenges experienced with identity and access management (IAM) strategies over the last 12 months. Survey results indicated IAM is critical in helping businesses meet their compliance requirements (54 percent), reducing operational risk (53 percent) and enabling new business initiatives (40 percent). However, nearly half (46 percent) of businesses surveyed said they are not confident they can prove the effectiveness of internal controls over user access privileges in an IT audit, and a further 46 percent are not confident in their ability to grant or revoke employee access. "As the IT landscape continues to evolve, many businesses are becoming uncertain about what the future holds for their data security," the report noted. "This year’s survey underscores that, instead of relying on reactive IAM policies, businesses need to develop a proactive strategy that is intelligent, innovative and flexible."

FreedomPop ‘Snowden Phone’ Is Latest Pro Privacy Effort

FreedomPop's Privacy Phone, nicknamed the "Snowden Phone," encrypts voice packets, sends data through a VPN and can be purchased with Bitcoin. The FreedomPop Privacy Phone, or the "Snowden Phone," as FreedomPop has nicknamed it, is the latest mobile industry effort to offer customers ensured privacy. The phone runs on FreedomPop's voice over IP (VoIP) network and encrypts each voice packet so they're untraceable, says the carrier.

Additionally, all application and Internet data is sent through a secure, encrypted virtual private network (VPN). Users can also change their phone numbers as often as they like, and for added anonymity, the phone can be purchased via Bitcoin. "In light of recent violations in consumer's privacy across social networks and mobile devices, privacy is becoming increasingly important to many Americans and we all have a right to communicate anonymously," FreedomPop COO Steven Sesar said in a March 5 statement. "Large carriers don't have the flexibility, desire or creativity to invest in privacy," Sesar added. "In fact, some companies have been compensated for handing over consumer's data. We don't agree with this approach and felt it was up to us to create a truly private mobile phone service at an affordable price." The New York Times reported in November that the Central Intelligence Agency (CIA) pays AT&T more than $10 million a year for assisting its "overseas counterterrorism investigations," and Wired reported March 3 that the Obama administration is suing Sprint for overcharging it by more than $21 million in "wiretapping expenses."  FreedomPop runs on the Sprint network, offering services based on a freemium model. It introduced itself to consumers in late 2012 with a wireless home modem, offering free limited access and tiered pricing for greater access. In October 2013, it graduated to mobile phone service, offering 500MB of data, 500 text messages and 200 anytime minutes "free every month for life" and without a contract.

For $10.99 a month, users can purchase unlimited voice and texting. "FreedomPop's mission is to ensure that everyone has access to affordable, convenient and essential communication services," FreedomPop CEO Stephen Stokols said in a statement at the time. Introducing the Privacy Phone, FreedomPop described itself as offering "disruptive mobile services" that ensure "no one is left off the 'connected grid.'" The Privacy Phone is a tricked-out Samsung Galaxy S II. Like banks and government agencies, it relies on 128-bit encryption.

According to FreedomPop, it also enables anonymous Internet browsing, prevents online marketers from tracking Web activity, blocks data monitoring and eavesdropping from third parties, and can bypass Website restrictions and "connect to any site online." Still additionally, it protects users from viruses and malware, keeps call history and other information confidential, blocks unsolicited calls and texts, and blocks malicious and phishing Websites. The phone is priced at $189. Users will receive 500MB of data and unlimited voice and text free for three months, and then pay $10 a month after that. Last week, Boeing introduced the Black phone, an Android-running device with embedded FIPS 140-2 key storage, support for trusted modules and "layers of trust from embedded hardware, operating system policy controls and compatibility with leading mobile-device management systems." Silent Circle and Geeksphone also introduced the Blackphone, an Android-running smartphone said to feature a "unique combination of application tools which offer unparalleled security and privacy to information workers, executives, public figures [and] anyone else unwilling to cede ownership of their privacy to other authorities."     Follow Michelle Maisto on Twitter.

Security, Privacy, Trust Must Be Built into All Hardware, Services

NEWS ANALYSIS: A few companies are showing that they recognize the need to restore a sense of digital trust in an era of massive data breaches and government surveillance. When did digital trust and privacy move from something expected to something that is only provided at a price? The Edward Snowden revelations, National Security Agency snooping via alleged back doors into vendor systems, big retailer identity heists and big Internet companies built on consumers trading their privacy for free service are all examples of how far the technology industry has fallen into a trustless economic model. There are signs of resurgence in building products and services where trust and security are paramount and I applaud those efforts. Recently, there have been three events which illustrate the trust trend. One was the successful TrustyCon conference held at the same time and in a venue a few blocks away from the yearly RSA Security Conference. Despite fears that the conference would only provide a stage for denouncing the ongoing RSA and NSA allegations regarding backdoor dealings, that's not what happened. The speakers at TrustyCon were passionate but reasoned in their arguments calling for a return to the concept of building a trusted digital economy.

While it might seem odd that a conference was required to advocate for digital trust, the event was a good start in creating the discussion forum. I hope it continues. Second was the emergence of smartphone vendors who, rather than trying to differentiate their devices based on the number of computing cores, screen resolution or battery life, are promoting the phone’s security features. While the Blackphone was widely known to be ready for introduction, some other entrants were a surprise. Blackphone, which is a combined effort from the developers at Silent Circle (including PGP developer Phil Zimmerman) and GeeksPhone, uses a modified version of Android to address privacy. The Boeing Black smartphone was a surprise entrant with essentially a self-destructing secure phone aimed at sales to government agencies.

And finally, FreedomPop (founded in part by Skype developer Niklas Zennstrom) has introduced a phone and service based on privacy. In an era where high end smartphones are becoming indistinguishable in their feature sets, privacy and security can be a distinguishing characteristic. Third is the ongoing fallout from the security breach at Target.

While past security breaches and big identity theft heists have tended to be met by shoulder shrugs from consumers, I don’t think that will be the case this time around. For Target the breach has proved to be both financially and brand damaging. Consumers are still unsure if the breach will affect their credit cards. Meanwhile, a range of new technologies based on secure digital transactions—I’m not talking Bitcoin, but more in the Square category—are coming into the consumer mainstream. Credit and debit cards based on chip and pin instead of magnetic swipe technology are commonplace in European countries and despite their slightly more cumbersome payment process would, I think, be welcomed by consumers anxious for secure transactions. The fallout from the Target breach has continued internally with the company recently announcing that the company’s CIO has resigned and the compliance vice president is retiring. CIOs who have offloaded the digital security functions of their company to a Chief Information Security Officer operating in a separate division should realize that whether or not it is on the org chart, digital security is part of their job description. These three events do not necessarily a trend make, but I’d argue that for a consumer and business customer base exhausted by news over digital break-ins, privacy violations and services which mine user data to provide ever more targeted advertising, vendors that put privacy and trust at the forefront of their product offerings will get a positive customer reception. Vendors developing new service offerings and product strategies should recognize that privacy, security and trust are three non-negotiable items that need to be at the top of the feature list. Eric Lundquist is a technology analyst at Ziff Brothers Investments, a private investment firm. Lundquist, who was editor-in-chief at eWEEK (previously PC WEEK) from 1996-2008 authored this article for eWEEK to share his thoughts on technology, products and services. No investment advice is offered in this article.

All duties are disclaimed. Lundquist works separately for a private investment firm which may at any time invest in companies whose products are discussed in this article and no disclosure of securities transactions will be made.

Target CIO Resigns, Retailer to Retool Entire Security Approach

U.S. retailer is still reeling from that 2013 breach, with profits falling a whopping 46 percent and revenue down 5.3 percent in the quarter. Target CIO and Executive Vice President of Technology Services Beth Jacob tendered her resignation March 5, effective immediately, as the result of the well-chronicled data breach last holiday season that impacted an estimated 110 million of the retailer's customers. Jacob had served as Target's CIO since 2008 and originally started with the company as an assistant buyer in 1984. She worked elsewhere from 1986 to 2002, when she returned to Target to serve as director of guest contact centers. "This is a difficult decision after 12 rewarding years with the company I love. But this is a good time for a change," Jacob wrote in her resignation later. Target reported on Dec. 19 that about 40 million payment card accounts were hacked during the pre-Christmas shopping season. Later, in an update, it said that about 70 million customers also may have had their addresses, phone numbers and other information compromised. Impact of the Compromise Still Hurting Target The retailer is still reeling from that breach, saying last week that its fourth-quarter profit slid a whopping 46 percent and that revenue fell 5.3 percent. Target also said it has had to pay about $61 million in hacking-related expenses. The Minneapolis, Minn.-based retailer said in the March 5 announcement that it will reconstruct its IT team and will look to the outside for an interim CIO who can guide the company through that process, Target Chairman and CEO Gregg Steinhafel said in a statement to the media. "While we are still in the process of an ongoing investigation, we recognize that the information-security environment is evolving rapidly," Steinhafel said. "To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information-security and compliance structure and practices at Target." Steinhafel said the company also will elevate the role of the chief information security officer and will start another external search for a chief compliance officer. Magnetic Credit Cards at POS Locations Was Main Issue The problems started when thieves broke into the point-of-sale (POS) system at Target in the October-November 2013 time frame.

At that time, they stole the data from the magnetic stripes on the back of credit and debit cards. Target, like virtually all other stores in the United States, depends on that information on the magnetic stripe to read all the relevant credit card information to make a sale. As the result of the data compromises at Target and at Neiman-Marcus last fall, U.S. banks and retailers now are looking at alternate versions of cards and card readers that would have protected credit card customers with an embedded chip in the card. Target is pledging to speed up the adoption of EMV (Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards) payment card IT.

These cards use encrypted chips for a stronger defense against hackers. The EMV chip that is now embedded in some credit cards is a microprocessor that holds an encrypted version of the information that's on the magnetic stripe. It establishes communication with the POS terminal and passes the credit card information to it, keeping the data encrypted.

If thieves managed to steal the data, which is unlikely, it would still be encrypted and difficult, if not impossible, to use. EMV Chips Now Being Sought The problem is that for the EMV chip to be useful, the customer has to have the embedded chip, and the merchant has to have a card reader that can read it. Those card readers are actually installed in some stores in the United States now, but many don't want to spend the money to upgrade to new card readers. As might be expected, the data breach has been the centerpiece of a growing number of shareholder lawsuits. Prominently among them is one brought by the Police Retirement System of St. Louis against Target, its board and top executives. The lawsuit, filed by the $700 million pension fund, accuses Target of "breach of fiduciary duty and waste of corporate assets."

Bitcoin bank Flexcoin shuts down after hack

The Canadian Bitcoin bank goes offline after hackers steal 896 bitcoins -- valued at more than $580,000 -- through a flaw with the Web site. March 5, 2014 2:10 PM PST (Credit: Bitcoin) Bitcoin is going through a bit of a rough patch. Just over a week after Bitcoin exchange Mt. Gox filed for bankruptcy, Bitcoin bank Flexcoin shut down after hackers stole all of its digital currency. Hackers stole 896 bitcoins -- worth more than $580,000 based on Bitcoin's current trading value -- in an attack on Sunday, according to a note posted on the Canadian bank's site. Flexcoin decided to close its doors, saying it did not have "the resources, assets, or otherwise to come back from this loss." Flexcoin offered more details on exactly how the hackers managed to steal the digital currency in an update posted Wednesday: The attacker logged into the flexcoin front end from IP address under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy The coins were then left to sit until they had reached 6 confirmations. The attacker then successfully exploited a flaw in the [front-end] code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to "move" coins from one user account to another until the sending account was overdrawn, before balances were updated. This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins. Related stories Bitcoin founder Satoshi Nakamoto discovered in California? Police probe death of Bitcoin exchange's young CEO Congressman: If we ban Bitcoin, let's ban dollar bills too Japan's response to Mt. Gox Bitcoin mess: Taxes, report says Flexcoin said bitcoins that were held offline, or in "cold storage," were not affected by the hack, and users could transfer out their bitcoins free of charge. Everyone else was pointed to a , which states that Flexcoin is not responsible for insuring bitcoins stored in its system. In other words, they won't be getting any of their digital currency back. While Bitcoin continues to have staunch defenders, this latest hack will certainly add to concerns over the digital currency. Prominent exchange Mt. Gox went offline early last month and then filed for bankruptcy after it was revealed that hackers stole nearly 850,000 bitcoins through a weakness in the Tokyo-based company's system.

This has reportedly spurred the Japanese government to start outlining policies regulating the virtual currency.

Here in the US, Sen. Joe Machin called on the government to issue an outright Bitcoin ban.

Responding to senator’s bid to ban Bitcoin, congressman calls for cash...

"Dollar bills are present in nearly all major drug busts in the United States."

FBI believes small Pennsylvania hosting company is connected to Silk Road

Affidavit says JTAN, a privacy-minded firm, was backing up Silk Road's server.

Feds drop most charges against former Anon spokesman

In 2012, Barrett Brown was hit with 12 charges related to a link he posted in IRC.

Japan’s response to Mt. Gox Bitcoin mess: Taxes, report says

The country will outline its plans to manage the crypto-currency later this week, and could limit banks' handling of it. March 5, 2014 8:22 AM PST Japan has plans to step in now that the Mt. Gox mess has affected Bitcoin owners all over the worl...

VU#823452: Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities

Serena Dimensions CM 12.2 Build 7.199.0 web client and possibly earlier versions contains multiple cross-site scripting vulnerabilities.