Saturday, December 16, 2017

Twitter announces security improvements

Twitter has introduced enhanced user identification processes to identify suspicious logins as part of efforts to boost security in a post-Snowden and post-Heartbleed era. The micro-blogging site said the move is aimed at protecting members who reuse the same passwords across multiple sites. The new system does this by analysing login attempts to accounts by looking at information such as location, device used and login history to identify suspicious behaviour. “If we identify a login attempt as suspicious, we’ll ask you a simple question about your account – something that only you know – to verify that your account is secure before granting access,” Mollie Vandor, a product manager at Twitter wrote in a blog post. “We’ll also send you an email to let you know that we’ve detected unusual activity so you can update your password if need be,” she said. The move is the latest by Twitter to maintain user trust through improved security and privacy measures. “We will continue to work on bolstering Twitter account security so you can keep enjoying Twitter safely,” Vandor wrote. US-based technology firms and online service providers have been keen to bolster user trust in the wake of whistleblower Edward Snowden’s revelations of internet surveillance by state intelligence agencies. Twitter is among the technology firms that have called for greater transparency around US government data requests. In November 2013, Twitter introduced perfect forward secrecy to prevent spy agencies collecting data on users without the company’s permission. Twitter has also announced a streamlined password reset process that enables users to choose whether reset details should be sent to their registered email address or phone number. This allows flexibility in case the phone number has been changed recently, users have limited access to devices or the registered email address is no longer valid. Twitter said it has also made it easier to reset a lost password on iOS or Android devices and that it has added some customised tips to help users strengthen account security in the future. More on Twitter security Twitter wants more transparency on government data requests Twitter increases protection from government snooping Twitter uses open source to automate security How to secure Twitter accounts against man-in-the-browser attacks Twitter urges news media to improve security Twitter shortens tweets for security reasons Twitter strengthens login security after hacker attack Twitter tests two-factor authentication Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

‘Private’ electoral roll data sold to junk mail company after software...

Supposedly private electoral roll information is suspected to have been sold to junk mail companies in a series of leaks from local authorities. The security lapses are thought to be so widespread that as many as one-in-four local authorities may have been involved. The Information Commissioner's Office (ICO) says that a "software error" is reportedly to blame, while the Daily Mail newspaper has named Reading-based software company Idox for the mistake. The data leak is believed to have affected only people who requested that their personal data not to be sold to third-party organisations when signing their annual electoral roll return. Electoral rolls are typically passed on to credit reference agencies, who then sell the data to direct marketing companies. Electoral rolls in as many as 90 local authorities are thought to have been affected. The ICO is now investigating and, bizarrely, has asked councils that may have been affected by the security lapse to come forward - rather than investigating them itself. Three councils in Wales - Rhondda Cynon Taf, Torfaen and Caerphilly - and Wokingham council in Berkshire are the only ones that have so far come forward. Local authorities make hundreds of thousands of pounds from the sale of electoral roll - each record is worth about £5. Wokingham council blamed the software it uses to manage its electoral roll data for the problem. Andrew Moulton, Wokingham council's head of governance and improvement services, told the Daily Mail: "As soon as we were made aware of the matter we took swift action to remove names and addresses from the public domain." He continued: "For a short time their names and addresses were incorrectly included on the edited register, which means they may have received material from direct marketing companies during this time. We have since provided the correct information to the various agencies that sell on this type of information and we believe personal details have now been removed." A spokesman for the ICO told the Daily Mail: "The full version of the electoral register should only be used for elections, preventing and detecting crime and checking applications for credit. Any suggestion that it has been made available for other purposes raises clear data protection concerns." It continued: "We are aware that a number of councils have reported that a software error has resulted in the full electoral register being made available more widely than it should have been. We are currently making enquiries into these potential data breaches."

IT staff being targeted by foreign intelligence agencies – MI5

IT staff are being targeted by foreign intelligence agencies seeking to steal intellectual property, Edward Snowden-style, and other information. Alternatively, they might be used to help launch cyber attacks against critical infrastructure in the eve...

Security Think Tank: Secure and seamless collaboration key for business

Very few companies are able to prosper without co-operation with business partners and suppliers.  The key element of these relationships is trust – trust that the other party will do what has been agreed, and will do it in a mutually beneficial way. This cannot be achieved without communication, data exchange and collaboration. This an opportunity for CISOs to change the reputation of being “a control department” and become “an enabling partner”. They should be proactive and show the business executives that it is possible to effectively collaborate with partners in a secure way.  The key success factor, however, is how seamless the process and tools for collaboration are. No one wants cumbersome processes just to share a file with an external partner. If this is what the CISO delivers, users will find ways around these security controls, effectively making security investment worthless.  What CISOs and security architects need to do is deliver controls that are both secure and seamless or, at the very minimum, easy to use. This is an area where controls as close to the actual data as possible work best. While the traditional approach was to connect the networks over VPN, effectively connecting two hard-edge/soft-core networks, the data-centric approach best matches today’s way of remote working, cloud explosion and proliferation of multiple devices that access the data. Indeed, rethinking security strategies, supported by technological advances, protocol standardisation and a boom of the usable and secure cloud services, have made the data-centric strategies possible. So what data-centric controls are available right now for CISOs and security architects? Data classification tools for adding metadata to the data objects allows for other security technologies to make decisions about what the appropriate level of protection is. This is a key element for any data security strategy. Digital/document rights management (DRM) delivers encryption of the data content. New versions of applications support data lifecycle with DRM protected content. CISOs need to know what applications are going to be used for collaboration. The standardisation in identity and access management allows companies to grant access to its resources (such as DRM-protected files) to users of their partners. This is a very powerful message for users, delivering seamless single sign-on to resources. Data leakage protection/detection tools can analyse the metadata/tags and ensure the information security classification policy is adhered to; for example, encrypting a sensitive Word document before it is sent to a recipient. This is just a selection of the most prominent examples. The data-centric architecture requires rethinking traditional security and IT strategies. However, it is a worthwhile exercise to regain lost business trust in security leadership. Vladimir Jirasek is managing director of Jirasek Consulting Services. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in May 2014

MPs call for spy agency oversight reforms

Parliament’s cross-party home affairs select committee is calling for wide and radical reforms of intelligence agency oversight mechanisms to improve accountability. The revelations of mass internet surveillance by US National Security Agency (NSA) whistleblower Edward Snowden are an “embarrassing indictment” of current measures, the committee said in a report. The MPs said one of the reasons Snowden gave for his actions was that he believed the oversight of security and intelligence agencies is weak. They said the current UK system was designed in a pre-internet era and is so ineffective that it is undermining the credibility of the intelligence agencies and parliament itself. The report is the first parliamentary acknowledgement that Snowden's disclosures should lead to serious improvements in the oversight and accountability of the security services, said the Guardian. The MPs are calling for a refined system of democratic scrutiny which requires reforms to way members are elected to the intelligence and security committee (ISC) and an end to its exclusive oversight role. Call for tribunal overhaul The report also calls for a complete overhaul of the "part-time" and under-resourced system of oversight commissioners and for greater transparency regarding the Investigatory Powers Tribunal. The tribunal is currently the only body that can investigate complaints against UK security agencies. The report calls for a parliamentary review of the Regulation of Investigatory Powers Act (RIPA) 2000 to bring it up to date with technology and improve its oversight safeguards. The Home Office issued its stock response to the report, saying UK security and law enforcement agencies operate in a strict legal and policy framework and under the tightest of controls and oversight mechanisms. “This represents one of the strongest systems of checks and balances and democratic accountability for secret intelligence anywhere in the world,” the Home Office said in a statement. The ISC responded to the report by saying plans for its own inquiry into the laws governing intelligence agencies is already underway. In December 2013, the ISC called for written submissions for its inquiry just days after top technology firms joined forces to advocate urgent reforms of all internet surveillance programmes such as Prism in the US, and Tempora in the UK. The alliance of eight companies said in an open letter to US authorities that the documents leaked by Snowden “highlighted the urgent need to reform government surveillance practices worldwide”. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Microsoft Lays Out Its Mobile Device Management Strategy

Enterprise Mobility Suite, Azure Active Directory and Intune anchor Microsoft's new "mobile-first, cloud-first" approach to user and device management. Microsoft offered a glimpse of its mobile IT management ambitions during the March 27 launch of Office for iPad. Now, Brad Anderson, corporate vice president of Windows Server & System Center, is spelling out just how the company plans to make its mark in the sizzling mobile device management (MDM) market. "Our vision is to help organizations enable their users to be productive on the devices they love, while protecting the company," said Anderson in a statement. The long-awaited Office apps for the iPad, the best-selling tablet line from rival device maker Apple, weren't the only products Microsoft announced on March 27. The company also took the wraps off a new MDM solution called Enterprise Mobility Suite (EMS). Julia White, corporate vice president of marketing for Microsoft Office, said during the EMS debut that it offers "one place to go to manage the bring-your-own-device [BYOD] strategy, help in a cloud-based way, do identity and access management as well as protect company data." Anderson echoed some of those themes in a blog post—the first of what will become a series of updates—that details some of the principles that guide his company's MDM efforts and the steps that Microsoft is taking to fulfill its vision. BYOD makes financial sense, argued Anderson. Users are "more productive and more satisfied" in BYOD-friendly organizations, which, in turn, helps improve the bottom line. "In pure dollars and cents, this satisfaction and efficiency generates significant positive impact for the company," he said. Yet, organizations must also grapple with keeping data safe and users secure. It's a balancing act that Anderson feels Microsoft is perfecting with EMS and the company's user and device management ecosystem. "Our approach has been to put the end-user in full control of what happens on their personal device when they bring it to work," stated Anderson. "The company, however, should be the ultimate authority and in full control of the corporate assets (applications and data) being accessed and stored on the personal device." And it all starts with the user identity piece of the puzzle, he asserted. Cloud-Enabled MDM Describing Active Directory as "the authoritative source of corporate identity around the world," Anderson said that the on-premises platform's capabilities have been extended to the cloud in the form of Azure Active Directory (AAD). Organizations can leverage ADD to allow users to register personal devices, which "is super critical because you need to be able to express policy on both the user and the device," he stated. In terms of mobile security, Microsoft's plans continue along a platform-agnostic path, suggested Anderson. "I believe that, eventually, all the mobile device/OS vendors will deliver native containers for corporate content (SAFE on Android is a specific example today), and these OS components will be integrated into solutions like Intune and Azure Active Directory." Finally, Microsoft is banking on Azure to provide enterprises with MDM components that are easy to manage, more cost-effective to acquire and more responsive to the rapidly evolving mobile device market. For instance, Windows Intune, Microsoft's cloud-based IT management platform "is updated and improved at a cloud cadence," said Anderson. He added that like Office 365, EMS in now licensed on a per-user basis. "This means you no longer have to count the number of devices in the organization or be concerned about your costs increasing as your users bring in more mobile devices," he said.

Bitcoin mining startup fires half its staff, declares “we’re not scammers”

“HashFast is solvent—I just went over the numbers with our CFO."

Router company that threatened a reviewer loses Amazon selling license

Customer accused of "illegal campaign to damage, discredit, defame, and libel."

Surveillance camera clears woman hit by police car

Footage shows cop ran a stop sign but arrested a sober victim for drunken driving.

Four weeks on, huge swaths of the Internet remain vulnerable to...

Some 300,000 systems remain susceptible to catastrophic exploits, one scan shows.

Massachusetts “Romneycare” site killed after rejecting Obamacare transplant

Original health exchange site too expensive to fix after CGI failed in ACA upgrade.

GPS tracking of NYC cabbies flourishes even as they fight back

Human tracking doesn't stop with cabbies. One lawsuit might decide if you're next.