3.1 C
Friday, November 17, 2017

NSA’s broken Dual_EC random number generator has a “fatal bug” in...

No plans to fix a bug in "toxic" algorithm that no one seems to use.

BitTorrent serverless chat replaces usernames with crypto keys

"With BitTorrent Chat, your identity is a cryptographic key pair."

Former CIA chief: Snowden should be “hanged by the neck until...

A very tentative suggestion of amnesty on a CBS program leads to a threat.

Bitcoin-only poker site resets user credentials after 42,000 passwords leak

Forum post seeking cracking help promises $480—in Bitcoins, of course.

Google: Government takedown requests on the rise

Google's latest transparency report numbers highlight a "worrying" trend that has emerged over the last four years: government requests to remove critical political content. December 19, 2013 10:07 AM PST (Credit: Google) The number of requests ...

Target Data Breach Affects US In-Store Customers

The retail giant admits that the breach may have affected 40 million credit card accounts. U.S. retailer Target quite literally has a target painted on itself, and it's one that attackers are now confirmed to have hit in one of the largest data breaches on record. Target admitted today that approximately 40 million credit and debit card accounts are at risk from the breach.

The affected accounts were compromised between Nov. 27 and Dec. 15, over the crucial Black Friday and Christmas holiday shopping period. Though full details on the breach have not yet been made public, Target has confirmed that the data breach affects customers that shopped in physical Target stores in the United States. Target also has an online store as well as operations in Canada, though the company has not confirmed that those operations were impacted by the breach. The data that the attackers were able to obtain includes customer names, the debit/credit card number, card expiration date as well as the three-digit Card Verification Value (CVV). Target has also stated that the issue has been resolved at this point and the company is working with financial institutions and law-enforcement agencies. "Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence," Gregg Steinhafel, Target chairman, president and CEO, said in a statement. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice." In an open letter published by Target today to its customers, the company provides a number of recommendations on what potential victims of the breach should do. Target recommends that retail customers should review their credit card account statements as well as monitor credit reports. Target advises retail customers to report any suspicious or unusual credit card activity to their financial institution. Target also suggests that customers visit the U.S. Federal Trade Commission (FTC)'s ID Theft website at www.consumer.gov/idtheft for additional information and tips. The Target breach is likely the largest breach of a U.S. retailer since at least 2006 when TJX reported a data breach affecting 46 million of its customers.

A year after the TJX breach was first reported, the scope of the TJX breach widened, and as many a 96 million consumers were impacted. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

After sailing the domain name seas, Pirate Bay returns to Sweden

Infamous torrent-fueled site continues to face legal pressure at home.

Target: Hack may have hit 40 million accounts

Holiday shopping itself can be stressful enough.

Now Target adds to the angst with news of a widespread theft of customers' credit and debit card data. December 19, 2013 5:13 AM PST Tis the season for theft of credit card data. (Credit: Target) ...

Civil Liberties Committee calls for tighter data protection for EU, following...

The preliminary conclusions of an inquiry by the European Parliament Civil Liberties Committee into the surveillance of EU citizens by the US National Security Agency (NSA), presented to members of European Parliament (MEPs), call for political and technology changes. The draft conclusions call for an EU cloud and proper analysis of the use of open source software, as well as political signals from the US that it understands the difference between allies and adversaries. The conclusions presented to MEPs by committee lead Claude Moraes said Parliament’s technical capabilities and options should be properly assessed, including the possible uses of open source software, cloud storage and greater use of encryption technologies. “Any of this data stored in US companies' clouds can potentially be accessed by the NSA.

An EU cloud would ensure that companies apply the high standards of EU data protection rules, and there is also a potential economic advantage for EU businesses in this field," he said. There were suggestions that changes should also be made to trade deals between Europe and the US to better protect citizen data. “We need to ensure that strong data privacy protections are achieved separately from the Transatlantic Trade and Investment Partnership (TTIP),” said Moraes.  For example, the committee said the European Commission should suspend the Safe Harbour principles regarding data protection standards that US companies should meet when transferring EU citizens’ data to the US, and instead negotiate new, appropriate data protection standards. It also urged the EU’s executive arm to suspend the Terrorist Finance Tracking Programme (TFTP) deal with the US until a “thorough investigation is carried out to restore trust in the agreement.”  In October, members of the European Parliament passed a resolution calling for the suspension of an EU agreement with the US that allows US authorities to monitor financial transactions on the Society for Worldwide Interbank Financial Telecommunications (Swift). MEPs can table amendments to the draft resolution. It will be put to the vote by the Civil Liberties Committee at the end of January 2014 and Parliament as a whole on 24-27 February. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

User acceptance testing needs real training, not just a short course

Developing information systems is a high-risk occupation and user acceptance testing (UAT) is the backstop that can avoid disasters. Not convinced? In June 2012, the interruption to NatWest and RBS payments following a routine update to software cost an eye-watering £170m to fix. Similar disasters, which might have been avoided by thorough UAT, have been experienced by the Securities and Exchange Commission, the UK Passport Agency, the London Ambulance Service, Heathrow Terminal 5 and Microsoft Xbox 360. Chaotic, problematic and ineffective In spite of its importance, UAT is usually chaotic, problematic and ineffective. Often treated as an intuitive process – an exercise in which users and subject matter experts "have a go at trying to break the system" – it is actually a process that requires careful preparation. Subject matter expertise is not enough, but it is vital that UAT is carried out by users, though it is not enough merely to be a user. Why you need custom training  What is needed to enable users to become an effective UAT team is some custom-built training. Not a run-of-the-mill course on UAT, but training designed specifically to address the complex demands on users deployed as user acceptance testers. Users have a unique perspective that is vital in user acceptance testing, and UAT training has to turn a group of users into a functioning team in which all members understand and take ownership of the quality of the system they test. Users should have a thorough understanding of the business objectives and should feel comfortable carrying out all the tasks they are expected to complete, including writing requirements, test conditions, test cases and test scripts. The key is incremental learning and development, supplementing short classroom courses with development of skills continued within the project team, supported by more experienced colleagues.  Developing an effective UAT team  What is required is a mix of training content and a process that supports users through the period of their learning, which will last for the length of the project and beyond. This strategy to support the learning and the quality of the training is what underpins the confidence and skills that will make UAT effective.

The ability of users to consult on, create content for and carry out UA testing should relieve some of the common time, budget and confidence pressures that may be felt by any project so close to implementation. A properly thought out schedule of training will avoid the problems that so often beset UAT: Reliance on UAT training alone carries the risk that the training is not embedded by applying newly acquired UAT skills ‘back at the desk’; Reliance on ad-hoc on-the-job learning alone carries the risk that the skill level of the user is not up to the task, or that users learn bad habits on the job; No training or on-the-job learning (relying on the skills of business analysts and testers) carries the risk that UAT is not relevant enough to the needs of the business. An effective UAT training strategy: Provides a thorough understanding of the UAT process; Prepares the participants for the tasks they will have to carry out; Promotes team formation and set out roles and responsibilities. Using a considered approach to the learning and development needs of the UAT team will help to prevent the project falling at the very last hurdle. Brian Hambling (pictured) and Pauline van Goethem have nearly 60 years' combined experience in the IT industry in a wide variety of development, testing and project management roles. Brian has been chair of the Software Testing Examination Board at ISEB and an examiner at the ISTQB. Pauline is a member of the ISTQB Glossary review team. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in December 2013

NSA Cyber-Snooping Attacked on Three Fronts in Single Week

NEWS ANALYSIS: It's been a tough week for the National Security Agency, as its cyber-surveillance activities are slammed by a federal judge, a group of industry executives and, most significantly, the president's own advisers. A report released by a hand-picked panel of presidential advisers on Dec. 18 is only the latest blow delivered to the National Security Agency during the week leading up to Christmas.

The 300-page report was compiled by the Review Group on Intelligence and Communications Technologies. The group was chartered to study the activities of the NSA and other intelligence agencies and produced a list of 46 recommendations to change the structure and operations of the NSA and several related agencies. While all of the recommendations are significant, the ones of greatest importance include changes to the Foreign Intelligence Surveillance Court, including the formation of a Public Interest Advocate to be created by Congress to represent the interests of privacy and civil liberties in proceedings before the FISC. The panel also called for limits on the court's power to compel private organizations to produce information, for increased transparency in the court's operations and new procedures for the selection of FISC judges. Some of the moves were sweeping, including a call to end the storage of metadata by the agency, a call to split the NSA from U.S. Cyber Command, and allowing the director of the NSA to be a civilian. In addition, the panel called for better protection of information to prevent thefts and leaks of classified information such as those carried out by former government contract employee Edward Snowden. The panel's report is a major blow to the agency that once seemed sacrosanct. It's only the latest of several headaches that the NSA has endured in rapid succession. On Dec. 17, a group of technology company executives met with President Obama and, by all accounts, raised hell about government snooping on private corporate networks and U.S. citizens' communications and data.

The executives said that the government surveillance was making it difficult to do business in an increasingly connected world. That was preceded on Dec. 16 by a decision in the U.S. District Court for the District of Columbia, which held that the collection of phone metadata by the NSA is an unconstitutional violation of the Fourth Amendment to the U.S. Constitution. "I cannot imagine a more 'indiscriminate' and 'arbitrary invasion' than this systemic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying and analyzing it with prior judicial approval," wrote Judge Richard Leon of the U.S. District Court for the District of Columbia. The judge noted in his decision that the plaintiffs in the case would suffer irreparable harm without relief in their suit against the government.

He also said that they have a strong likelihood of success on the merits of their Fourth Amendment claim. However, the judge issued a temporary stay of his injunction, citing national security implications.

Obama Task Force Makes Recommendations for US Surveillance Overhaul

NEWS ANALYSIS: A presidential task force makes sweeping recommendations to overhaul U.S. intelligence agency operations. The White House has officially released a Presidential Task Force report that was triggere...