Thursday, December 14, 2017
Home Tags Facebook

Tag: Facebook

commentary Yahoo CEO Marissa Mayer confesses that she doesn't use a passcode to protect her smartphone, which goes to show you how hard it is to get people to take reasonable precautions. But it's also an improper risk for a major corporate leader. Ya...
As Google ramps up its data-encryption efforts, now is a good time for enterprises to consider their own data-protection postures. Revelations made public last week about alleged National Security Agency (NSA) capabilities for defeating Internet cryptography are having a ripple effect, causing companies big and small to re-evaluate their use of cryptography. One of those vendors is none other than Google. According to a published report in The Washington Post, Google is accelerating its efforts to cryptographically secure data. Google's moves do not require any specific action from users as the activity is focused around encrypting data between Google's own data centers. Google's actions are being praised by some and met with skepticism by others. Carson Sweet, CEO and co-founder of CloudPassage, told eWEEK that in his view, Google's actions are a step in the right direction. "There's no way that Google can prevent snooping for every situation, but the level of investment they're making here is a big statement as to their commitment to customer privacy," Sweet said. "The unfortunate reality is that a government agency is no different from any other attacker seeking sensitive data; if one attack vector is severed, they will go to work looking for another one." Geoff Webb, director of solution strategy at NetIQ, told eWEEK that Google's highly visible stance on the issue of data protection is not too surprising, as Google relies on trust from its consumers. "However, while encrypting data will certainly hinder illegal hackers and potentially slow down untargeted data gathering by the NSA, the real question with encryption is—who has access to the keys?" Webb said. "If the NSA is able to gain access to the keys used to encrypt the data, then there is no additional privacy for users." Carl Livitt, senior managing associate at security consultancy Bishop Fox, isn't quite as positive about Google's actions for a number of reasons. What Google is actually specifically doing with its new encryption is not yet publicly known, Livitt pointed out, adding that going a step further as a government agency, the NSA still has mechanisms that could allow it to get what it wants. "If the NSA were to approach Google and demand access to their new encryption using a secret FISA [Foreign Intelligence Surveillance Act] court order, Google would be gagged from talking about it," Livitt said. "This leaves us right back at square one." What Should Enterprises Do? Regardless of what Google is doing to protect itself and its own customers, a good best practice for enterprises that CloudPassage's Sweet suggests is for organizations to take control of their own privacy. "What the providers do is helpful, but at the end of the day, adding privacy technologies that you control is the best way to have assurance," Sweet said. "From the Google perspective, there are dozens of gApps add-ons that encrypt email, content, etc., and leave the keys in your control." Bishop Fox's Livitt is somewhat more pessimistic about what users should or shouldn't use. Office365, Skype, Gmail, Yahoo Mail, Hotmail and Facebook are all compromised by the NSA, he said. "If this affects you, don't use those services," Livitt said. Enterprises should assess their own risk—with the understanding that some data is more important than others—and  should take extra safeguards for critical information, Livitt said. Those worried about government snooping should use their own infrastructure and avoid the cloud, Livitt said. "If you must use the cloud, avoid U.S.-based cloud providers because you will never know if your data is being tapped—this is because of the secret FISA court orders and related gag orders," he said. "Do research into non-USA cloud providers, but avoid New Zealand, U.K., Australia and Canada; they are all working together with the NSA.

If all of that fails, try wearing a tinfoil hat." Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.   ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}
Facebook and Yahoo have asked the Foreign Intelligence Surveillance Court (FISC) for permission to publish details of national security requests they receive from the US government for user data. In a policy statement on Tumblr, Yahoo's general counse...

Kroes: ‘Roaming will go’

Neelie Kroes, European Commissioner for Digital Agenda, was recently accused of quietly ditching a policy on cutting roaming data charges within the EU.

Talking to Computing at the Telefonica-sponsored Campus Party in London earlier this month, she was quick to dispel any confusion, confirming that “roaming will go”. Kroes said that she is currently finalising a proposal to this effect that will come into force in 2016, adding that there has been no backtracking, nor will there be any in the future. Kroes was keen to clear up another “misunderstanding”: the idea that she is using her position in the European Commission to promote “restrictive” cloud computing policies. The head of the government’s G-Cloud initiative, Denise McDonagh, is worried that a Commission-certified cloud service, which is what Kroes wants, may prevent smaller companies from taking part in governmental cloud projects. “It’s not fair to say that,” Kroes said, adding that it’s not just big businesses, but SMEs too that are “coming round the table” in discussions about a European cloud, and there “is no way” any type of company will be favoured above another. For one so often accused of changing her mind, Kroes is refreshingly keen on transparency these days. “What we propose in the cloud strategy is to clarify what’s at stake,” she says. Kroes’s plan is to have cloud and telecoms protected and watched by a single regulator, in order to help allay security and privacy fears. She professes concern about public clouds in the wake of recent government snooping scandals involving both public and private internet services. “For me, that was a wake-up call,” said Kroes. “It is naive to think that we weren’t aware that something was happening. Of course it was. We now have to act.

A European cloud has to be more secure, otherwise how can we say ‘Yes, you should go with this for your business’?” But given all the lurid revelations around the NSA’s Prism programme and similar eavesdropping practices at the UK’s GCHQ spy centre, it is highly unlikely that a few words of reassurance from the likes of Kroes will engender trust in the integrity of the EC’s cloud plans. Indeed what Kroes went on to say will only heighten concerns around data privacy in the cloud, for she argued that on the internet, some information just cannot be protected. “Never trust somebody if you really have something to lose; be aware that life is more open and transparent – you need to be aware,” said Kroes. “Kids are vulnerable when they are not aware that when they go online certain information will show. I think we are taking risks and shouldn’t allow it – if you’re not mentioning how transparent it is to go online. “I’m always surprised by people who put all their information on Facebook pages – things I wouldn’t even mention– and then start talking about needing privacy,” Kroes continued. But would she advocate the use of fake names or other anonymising methods? “No! I’m not using fake names, and I’m on social media, but there are certain issues: for me, the most important thing is to know what you’re doing,” Kroes said. Asked whether she believes governments should be allowed unchallenged access to private data, Kroes said: “That is an interesting discussion, and in general I would say no. [But] if you want your government to take care of your security, then they’ll have certain requirements in order to achieve that.” Kroes believes this is a bargain that has to involve a level of trust that the government isn’t using the need to maintain security as an excuse to abuse its power.

Unfortunately, this trust has now been undermined by the Prism revelations and similar scandals, she said. With the US government and its partners playing fast and loose with the data privacy rights of innocent citizens, it’s hard to imagine a tougher time to promote a public sector-administered cloud network. But Kroes remains passionate about the need for a European cloud, and can only be hoping that the spooks of the NSA and GCHQ haven’t got anything else up their sleeves that will make her task even harder. @PeterGothard
Yahoo has begun legal action to demand the right to disclose the number of user data requests it receives from US national security agencies. The internet firm is among several large technology companies trying to distance themselves from the Prism internet surveillance programme revealed by whistleblower Edward Snowden in June 2013. Yahoo’s suit in the US Foreign Intelligence Surveillance Court (FISC) comes just days after the firm published its first report on the overall number of government requests for data. Google and Microsoft have published similar so-called “transparency reports” since Snowden’s revelations about Prism. But the report numbers include all requests made for criminal law enforcement and national security under the controversial Foreign Intelligence Surveillance Act (FISA) and National Security Letters (NSLs). In June 2013, Google, Facebook, Twitter and Microsoft called on the US government to allow them to publish greater detail about requests they receive to hand over user data. Early in September 2013 the companies announced plans to sue the government for the right. Now Yahoo has applied to the FISC for permission to provide a breakdown of these figures to show how many requests are received under specific national security statutes. The US government currently prohibits companies from disclosing this information. Yahoo general counsel Ron Bell said the company believes the US government can protect public safety without preventing internet companies from disclosing the number of national security requests they get. “Ultimately, withholding such information breeds mistrust and suspicion, both of the United States and of companies that must comply with government legal directives,” Bell wrote in a blog post. In July 2013, Yahoo won a legal battle to have papers from a key 2008 court case declassified and published to prove the company’s opposition to the Prism surveillance programme. Shortly afterwards, the US government announced it would publish aggregate annual data about its requests for phone call logs and internet chats. Yahoo’s Ron Bell said this was an important first step in the direction of the US leading the world when it comes to transparency, accountability and respect of civil liberties and human rights. “Granting our petition for greater transparency around national security requests for user data is a critical second step,” Bell wrote. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from
Google, Facebook, Yahoo want to report the number of secret requests they get.    
In an attempt to achieve greater transparency with users, the companies petition the US government for permission to publish requests made under the Foreign Intelligence Surveillance Act. September 9, 2013 9:05 AM PDT Three prominent online comp...
The agency can spy on Android devices and even the BlackBerry, but the iPhone is a favorite target, according to German news site Der Spiegel. September 9, 2013 8:43 AM PDT (Credit: Sarah Tew/CNET) The iPhone apparently is popular not just with ...
Hackers are focusing on vulnerabilities in the PHP web application development platform threatening most websites, warns the latest hacker intelligence report from security firm Imperva. This practice is in line with the well-established trend of hackers aiming at commonly used third-party components to get the best return on investment. PHP is an alternative to Microsoft's Active Server Page (ASP) technology and is used mainly on Linux web servers. “Because compromised hosts can be used as botnet slaves to attack other servers, exploits against PHP applications can affect the general security and health of the entire web,” said Amichai Shulman, CTO at Imperva. “The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80% of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.” Return on investment According to the report, hackers are increasingly capable of packaging higher levels of sophistication into simpler scripts. PHP SuperGlobals are a prime target that yields a high return on investment. PHP SuperGlobals are several predefined variables in PHP available in all scopes throughout a script. The PHP SuperGlobal parameters are gaining popularity in the hacking community because they incorporate multiple security problems into an advanced web threat.

This can be used to break application logic, compromise servers and result in fraudulent transactions and data theft, researchers said. They note that PHP applications do not protect against the modification of variables from external sources, such as query parameters or cookies. According to the report, the researchers have seen attackers abusing SuperGlobal variables for the purpose of remote code execution, remote file inclusion and security filter evasions attacks. In one month, Imperva’s research team noted an average of 144 attacks per sample application that contained attack vectors related to SuperGlobal parameters. These attacks appeared in the form of request burst floods, with peaks of between 20 and 90 hits per minute on an application, with some attacks lasting more than five months. Researchers said SuperGlobal variable manipulation is becoming popular and that some of the biggest vulnerability scanners are specifically looking for this vulnerable vector. Researchers found a vulnerability in the popular PhpMyAdmin (PMA) utility used to manage MySQL databases in PHP environments. Security researchers' recommendations They said that, because it is often bundled with other applications using the popular MySQL database, having this vulnerable utility present on the server – even if it is not being used by the administrator – exposes the server to code execution attacks and, as a consequence, to full server takeover. The report therefore recommends an “opt out” security model. The report concludes that only a positive security mechanism that specifies the allowed parameter names for each resource can prevent an attacker from taking advantage of the external variable manipulation weakness, which gives anyone the ability to send out external parameters with the same name of internal variables, and thus override their values. Researchers recommend that SuperGlobal parameters in requests should be blocked as there is no reason for them to be present. Finally, the report notes that, although the PHP method is a powerful way of carrying out attacks on targets, the method has pitfalls. According to the researchers, an application security system that can detect and mitigate a single stage of the attack can render the entire attack useless. Email Alerts Register now to receive IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from
Is there any greater reason to believe that companies to which we give our information every day will guard it more preciously than any government? (Credit: Chris Matyszczyk/CNET) "We want to be really, really clear that whenever you give us informatio...
In a post-Snowden era, it's getting hard to tell prudence from paranoia.    
Getting in on the transparency game, Yahoo lists user data requests globally.