6 C
Tuesday, November 21, 2017
Home Tags Identity protection

Tag: identity protection

NEWS ANALYSIS: Despite claims about advanced security, the Federal Trade Commission says that D-Link hard-coded login credentials leaving encryption keys unprotected and publicly exposed on the web LAS VEGAS—My panel on cyber-security at CES was just starting when I introduced Federal Trade Commission attorney Ben Rossen, who is part of the Division on Privacy and Identity Protection.Rossen opened his discussion with an announcement that the FTC had just filed a lawsuit in the U.S. Federal Court for the Northern District of California alleging that network equipment maker D-Link had been misleading in describing its advanced security technology and in had endangered the public with lax product security practices.Rossen said that the complaint was just one of what will be many complaints about poor internet of things device security. D-Link IP cameras were a major contributor to the immense IoT denial of service attacks that occurred last year causing widespread disruption on the internet, including taking down Domain Name System services provider DYN.Hackers had augmented the volume of their attacks by loading botnet software on vast numbers of IoT devices including security cameras, smart home devices and DVRs. If nothing else, Rossen made it clear why he was part of my panel on "Regulation and Enforcement in Cybersecurity." He said that the FTC was taking privacy and security risks affecting Americans very seriously. In this case, D-Link was allegedly engaging in unfair and deceptive practices by claiming to have provided security capabilities that clearly didn't exist. A typical example from the FTC complaint was the fact that D-Link had hard-coded "Guest" as the user name and password into its IP cameras. This made it easy for hackers to install botnet software on these devices so that thousands of them could be marshaled as part of a botnet. But the security holes in the D-Link equipment went beyond that.In the FTC announcement on the enforcement action, the agency noted that a software flaw in D-Link equipment allowed command injection, in which hackers can send remote commands over the internet to the devices without authorization from the owner. In addition, the FTC complaint says that D-Link mishandled its private key code used to sign the company's software products, by allowing it to be visible on the company's public website for six months.Finally, when users could actually create their own logins and passwords, the D-Link software allowed those names and passwords to be stored in the clear on the equipment.The FTC complaint said that the flaws included insecure routers that could allow access to attached storage devices that could be directed to attack other devices on the network. The insecure routers could also be remotely programmed to direct users to fraudulent websites.
County claims chap tried to infiltrate medical, social services Los Angeles wants to extradite a Nigerian man accused of swiping the passwords of more than 100 workers in 15 city and county departments via a phishing attack. The metropolis' prosecutors have obtained arrest warrants seeking the extradition of Austin Kelvin Onaghinor from Nigeria to face charges of identity theft and unauthorized access to a computer. The LA district attorney's office claimed on Friday that in May of this year, Onaghinor sent the emails to more than 1,000 of Los Angeles County's 120,000 employees. Of the 1,000, 108 of the emails tricked users into handing over their login credentials to city service portals. If convicted, Onaghinor could face up to 13 years in prison. The second-largest city in the US says that while it "thwarted" the attack, it is warning some residents that their personal information may have been exposed, and it's offering free identity protection services to the affected people. The notice, which will be mailed out to the affected citizens, warns that the exposed data includes "first and last name, date of birth, Social Security number (SSN), driver's license or state identification number, payment card information, bank account information, home address, phone number(s), and/or medical information, such as Medi-Cal or insurance carrier identification number, diagnosis, treatment history, or medical record number." "Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation," the notice reads. Those whose personal information was exposed will receive one free year of credit and identity monitoring services. The city says it will be improving its internal security and providing additional training to help employees spot and report phishing scams. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
What malicious sites provide both free and paid access to stolen credit cards, company databases, malware and more? 1 of 10 Image Source: imsmartin With nothing more than a standard Web browser, cybercriminals can find personal, private information all over the public Internet.
It isn't just legitimate services - from genealogy sites to public records and social media - that can be mined and exploited for nefarious purposes. Openly malicious criminal activities are also happening on the public Internet.  True, much of the cybercrime underground consists of private and established communities that don't appear in a normal search engine and are not accessible by regular users without special authorization. However, according to the team at identity protection and fraud detection provider CSID, there are different levels of cybercriminal resources - and not all are so tightly protected.

The quality and quantity of the more easily accessible forums are still high, say the CSID team, and anyone can access content such as stolen credit cards, cyberattack tools, and even advanced malware, which can be leveraged with minimal technical know-how required. Adam Tyler, chief innovation officer at CSID, describes how black-market organizations are becoming more like traditional online businesses we visit and buy from every day. “For example," he says, "many sites now have their own Facebook, Twitter and even YouTube pages to advise their member base on new attacks and tools that are available.” Data sold on criminal marketplaces “age quickly, meaning that once the information is stolen, it has to be used for fraudulent purposes quickly,” says Christopher Doman, consulting analyst at Vectra Networks. “The more times the information is abused for fraud, the more the information will be devalued.” “Companies should have these marketplaces monitored, looking for trends in data breaches and attacks as well as to see if any of their data has been compromised,” says Carefree Solutions’s CEO Paul San Soucie. “One point that I’m not sure is evident is that there is more public and Dark Web research than any one IT person can handle. Researching and absorbing this information requires significant training and experience.

Even large US banks that have dedicated security staff are not able to do some of the research and analysis that specialized reconnaissance teams can perform.” San Soucie nevertheless suggests treading carefully when doing this research. "While you can get to most of these sites using standard https, I still consider them dark and strongly recommend accessing them via a VPN as both criminal and government sources track access in some cases.” Read on for a collection of some of the popular sites where private data, credentials, and attack tools are up for sale, or even for free download. Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as ...
View Full Bio 1 of 10 More Insights
Symantec CEO looks to grow the capabilities of company's consumer and enterprise business units. Symantec announced on November 21 that it is acquiring identity protection vendor Lifelock, in a deal valued at $2.3 billion.

The deal is expected to close...
Ben Hudsonreader comments 13 Share this story Symantec, one of the biggest consumer computer security firms in the world, is about to become even bigger with plans to buy LifeLock—an identity-theft protection service. The proposed $2.3 billion (£1.86 billion) deal has been okayed by the boards of directors of both companies, and is expected to close in the first quarter of 2017, pending regulatory approval. LifeLock's shareholders will receive $24 (£19.45) per share—a 16 percent premium to its closing price on Friday of $20.75. Symantec, which owns the Norton suite of cybersecurity software, claimed that the deal will make it the world's largest consumer-facing online protection outfit. "As we all know, consumer cybercrime has reached crisis levels. LifeLock is a leading provider of identity and fraud protection services, with over 4.4 million highly-satisfied members and growing. With the combination of Norton and LifeLock, we will be able to deliver comprehensive cyber defence for consumers,” said Symantec chief Greg Clark. The cybersecurity market is growing: it's currently worth around $10 billion (£8.1 billion), while Symantec estimates that the total addressable market in the US alone is 80 million people. Tempe, Arizona-headquartered LifeLock says it provides "proactive identity theft protection services for consumers and consumer risk management services for enterprises." Among other things, it apparently alerts users to unauthorised identity access by monitoring new account openings and credit applications, while it also trains police, government, merchants, and NGOs in identity protection techniques. Symantec is taking on $750 million (£608 million) in new debt to finance the purchase, which follows its acquisition in August of cloud security firm Blue Coat for $4.65 billion (£3.77 billion).

That deal saw Clark—who had been Blue Coat’s CEO—take the helm at Symantec.

The company's former boss, Michael Brown, was ousted earlier this year following disappointing financial results. This post originated on Ars Technica UK
Bid to mitigate damage in face of declining anti-virus sales Symantec has bought identity theft protection firm LifeLock for $2.3bn. The deal, announced Sunday, represents a brave bid by Symantec to shore up a consumer security business eroded by dwindling anti-virus sales. Selling Norton consumer security alongside identity protection and remediation services from LifeLock will enable sustainable "consumer segment revenue and profit growth", according to Symantec.

The security giant said it plans to finance the transaction with cash supplemented by $750m of new debt.

The deal – which is subject to LifeLock stockholder approval and US regulatory approval – is not expected to affect Symantec's FY17 results. Symantec's share price dropped marginally on the announcement of a deal that effectively involves it "doubling down" on the consumer security market.

Data breaches and the identity theft that sometimes results are a growing problem but whether the sometimes controversial LifeLock offers a comprehensive defence is far from convincing. LifeLock's identity theft protection system is designed to alert subscribers about fraudulent applications for loans, credit cards or other financial services. The $2.3bn price tag ($24 per share) offered from Symantec represents a 16 per cent premium on LifeLock's Friday closing share price of $20.75, itself a year-long high. LifeLock was also reportedly being pursued by private equity firms Permira, TPG, and Evergreen Coast Capital, as well as Symantec. Symantec sold data storage software firm Veritas to Carlyle Group for $7.4bn earlier this year.
Since then it has purchased Blue Coat for $4.65bn and now LifeLock for $2.3 billion in a bid to redefine itself as a pure play cybersecurity firm. The purchase price looks high even though LifeLock is profitable.

The company's net income for 3Q16 came out at $14.4m on sales of $170.3m. Last year LifeLock was obliged to pay $100 million to settle charges (PDF) of failing to maintain a comprehensive information security program and deceptive advertising.

The court order followed FTC enforcement action against LifeLock for alleged violations of an earlier 2010 order. ® Sponsored: Customer Identity and Access Management
If you had a personal computer in the late 90s, you probably thought that firewall protection was something that businesses needed, not consumers.
It took the ZoneAlarm crew years to get out the message that consumers need firewall protection too.

Next month's update to Microsoft's nearly 1-year-old OS will include several new features to help keep users and their data safe. When the Windows 10 Anniversary Update arrives Aug 2, it will include several new security features that are designed to p...
You can check out any time you'd like, but you can never... well, you know the song.Aurich Lawson Comcast and Charter yesterday told US senators how they're trying to fix their poorly rated customer service.

Executives from the nation's two largest cable companies testified in a hearing in response to a Senate investigation detailing the industry's shortcomings. Comcast Cable Senior VP of Customer Service Tom Karinshak detailed some customer service initiatives, mostly ones that are already in progress.

Transcripts of the companies' testimony along with Senate investigative reports are available here.

AT&T (owner of DirecTV) and Dish also testified. "At Comcast, we understand why we are here," Karinshak said. "We and the industry as a whole have not always made customer service the high priority it should have been. We regret that history and have committed to our customers that we will lead the way with initiatives to change it; we are committed to making every part of our customers’ experience better, and we have already begun to do so." Comcast said it has come up with a customer "Bill of Rights" with principles including these: more training and technology for employees; fair prices for customers; being on time and minimizing wait times; enabling self-service; keeping bills simple and transparent; re-assessing policies and fees that frustrate customers; crediting customers proactively for outages and billing errors; allowing customers to end their service without a hassle; [and] measuring employees on customer satisfaction. A Senate investigative report found that Charter and its new subsidiary, Time Warner Cable (TWC), have been overcharging customers at least $7.2 million per year for equipment and service. While Comcast apparently isn't as big an offender in that area, Senate Democrats released a second report detailing other failures common to Comcast and fellow pay-TV operators. The report gave special attention to the various fees that raise prices above advertised rates and how cable companies make it hard for customers to downgrade or cancel service. Comcast has been particularly infamous in this regard, with "retention agents" refusing to process cancelation requests until Comcast customers convince agents that they really do have a good reason to cancel. In response to senators' criticism, Karinshak said Comcast has "provided additional guidance to our retention representatives about the disconnect process for our customers and continue to work on ways to further streamline disconnect requests.

For example, we’re piloting a program to make it easier to cancel service online.

As part of the pilot, customers can now log on, enter a request, and cancel their service. We follow up by phone within two days just to verify the request, which we have to do for privacy and identity protection reasons (e.g., to verify the identity and credentials of the individual who canceled the account), and we will even make arrangements for them so all they have to do is drop any equipment they have at a local UPS store and have it sent back to us at no charge. We are continuing to explore other ways to make this process even simpler for our customers." Even this process can't be fully completed online and requires customers to explain why they're canceling, we noted in a previous story about California legislation that would require ISPs to let customers cancel online. Enlarge US Senate As for fees, Karinshak said Comcast recently stopped charging "change-of-service fees" but said it continues to charge many others.

Charging for "optional add-on services like our DVR service or for enabling HD technology" allows customers to get a lower bill if they don't want those services, he said. Comcast has extended the time in which customers can dispute charges from 60 to 120 days, given "front-line agents" the authority to issue credits of up to $100, and "afforded customers who say that they returned equipment the benefit of the doubt without requiring a receipt," he said. Other ongoing Comcast customer service initiatives described by Karinshak include the following: Creating more than 5,500 US-based customer service jobs over three years. Automatically crediting customers $20 when technicians arrive late. Giving employees a new cloud-based platform with "a better, holistic view of the customer’s account history so they have everything they need... to help customers faster and you won’t need to start over each time you talk to a different agent." Renovating and opening hundreds of retail stores. Devoting 125 employees to handle complaints on social media. Providing an interactive troubleshooting guide for customers within the "My Account" app. Karinshak also said that pay plans for employees, including top executives, now depend on customer satisfaction scores—which are pretty low, at least when measured by third-party research firms.

But Comcast uses internal metrics to judge its employees and set pay, the company told Ars. Charter's plan and more details on overcharges Charter, meanwhile, has its work cut out for it because it's still in the early stages of integrating Time Warner Cable (TWC) after an acquisition that made the company nearly four times larger. Charter has been trying to improve customer service since 2012, in part by "insourc[ing] thousands of Americans jobs that had previously been located overseas," said Charter Executive VP of Customer Operations Kathleen Mayo. Charter expects to hire another 20,000 US citizens as it continues to in-source service operations. "Today, nearly 90 percent of our customer calls are handled onshore and in-house, and 95 percent of our in-home service visits are performed by Charter employees, rather than third-party contractors," Mayo said. "By bringing those jobs in-house, Charter is better able to manage and train the people who work directly with our customers." As we reported yesterday, Charter has agreed—under pressure from senators—to identify billing overcharges and automatically credit customers. Out of 11 million Charter boxes in customers' homes (excluding TWC), Charter found 63,000 instances where customers were overbilled for the boxes at some point over the past 9 months.
Since Charter acknowledged that it has overcharged customers at least $442,691 per month, that works out to average overcharges of $63.28 for each box victimized by over-billing.

Before the TWC merger, Charter had 6.8 million subscribers, so there's more than one box per customer. "We were pleased that our accuracy rate [more than 99 percent] was as high as it was, but I will never be satisfied until we have zero instances of over-billing," Mayo said. "For the affected customers we identified over the course of this review, we will explain in their next bill that they were overcharged and will be issued a 12-month credit for those equipment fees.

During the course of this process, we also discovered approximately 9,000 boxes for which customers were not billed, though they should have been. We will correct and explain the discrepancy moving forward but will not seek to collect those fees that should have been charged." To eliminate this type of billing problem going forward, Charter has implemented "controls to catch any box/customer mismatch on a daily basis." The Senate report said this is progress, but added that it doesn't offer a complete solution.

Charter has not yet completed all the work necessary to determine how much it has over-billed customers, the report said.

That's why the numbers are described as the minimum that Charter has overcharged customers, rather than the full amount. Charter also "estimates that it has annually overcharged approximately 5,897 Missouri customers a total of $494,000 each year," nearly $84 per customer.

This data came in response to a query by Sen.

Claire McCaskill (D-Mo.). TWC—which was still independent when the Senate began its investigation—has started performing monthly audits to find overcharges and issue automatic credits, and it will move from monthly to daily audits under Charter ownership.

But the changes won't involve refunds to customers for all of the overcharges they've paid over the years. Neither Charter nor TWC automatically refunded or credited customers during the 6.5-year span studied by the Senate investigation. Time Warner Cable's total overcharges worked out to $1.9 million a year, affecting a small fraction of the 37 million pieces of equipment in service. "Our equipment billing error rate for video subscribers is a very small .07 percent and for Internet subscribers, .03 percent," TWC Chief Operating Officer John Keib said. (Keib left the company after the Charter acquisition.) Mayo said Charter is trying to be "a different kind of cable company." "To improve the customer experience and focus instead on our products, we don’t charge common industry fees like additional modem fees, sports surcharges, separate USF [Universal Service Fund] fees, or early termination charges," Mayo said. Charter says its metrics show a 12-percent increase in customer satisfaction since 2011. While senators pointed out that customers often cannot get their problems resolved on the first phone call, Charter said it is resolving problems on the first call 80 percent of the time. There's still a ways to go for both Charter and Comcast: a recent Temkin Group customer survey rated ISPs and pay-TV providers as the nation's least-liked industries.

As we previously reported, "Among eight ISPs rated, four got very poor ratings: Time Warner Cable (48 percent), Charter (48 percent), Cablevision (47 percent), and Comcast (40 percent)." Comcast scores remain low even though Comcast Executive VP David Cohen pledged major changes in front of a Senate hearing more than two years ago. Disclosure: The Advance/Newhouse Partnership, which owns about 13 percent of Charter, is part of Advance Publications.

Advance Publications owns Condé Nast, which owns Ars Technica.
Lost info includes names, addresses, numbers and security codes Acer's insecure customer database spilled people's personal information – including full payment card numbers – into hackers' hands for more than a year. The PC maker has started writing to customers [PDF] warning that their personal records were siphoned off from its online store by crooks between May 12, 2015 and April 28, 2016. Acer did not say how many customers had their details swiped. The lost data includes customer names, addresses, card numbers, and three-digit security verification codes on the backs of the cards.

Acer says that no passwords or social security numbers were obtained by the thieves, which will be of no comfort whatsoever to the victims. "We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts," said Acer vice-president of customer service Mark Groveunder. "We have reported this issue to our credit card payment processor. We have also contacted and offered our full cooperation to federal law enforcement." Acer urges customers who suspect their card numbers are being used for fraudulent charges to file reports with the police. "If you suspect that you are a victim of identity theft or fraud, you have the right to file a police report," Groveunder added in the letter. "In addition, you may contact your State Attorney General’s office or the US Federal Trade Commission to learn about steps you can take to protect yourself against identity theft." Acer did not say if will be providing identity protection services to the folks whose payment card information it lost.

The Taiwanese giant has since addressed the security vulnerability that allowed hackers to access its ecommerce website's database. "We regret this incident occurred, and we will be working hard to enhance our security," Groveunder said. ® Sponsored: Rise of the machines
In light of the massive LinkedIn breach, Microsoft sets tough password policies on its accounts and Azure Active Directory. LinkedIn was hit by a breach in June 2012, affecting 6 million users, the social network originally said. Nearly four years later, a clearer picture of the incident has emerged: 100 million LinkedIn users' passwords were potentially stolen. "On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online.

This was not a new security breach or hack," states an email distributed to LinkedIn users from the social network's legal team. "We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk."Despite these steps, LinkedIn users may still be at risk. Hackers are reportedly selling the trove of stolen emails and passwords, and even if they no longer work with LinkedIn, the credentials can potentially be used to unlock other popular sites and online services due to password reuse.Microsoft accounts, those used to log into OneDrive, Xbox Live, Outlook.com and a host of other online services from the software giant, are already being immunized against password attacks that stem from breaches like the one suffered by LinkedIn, said Alex Weinert, group program manager of Microsoft Azure Active Directory (AD) Identity Protection. "When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common—we both analyze the passwords that are being used most commonly," he wrote in a blog post. "Bad guys use this data to inform their attacks—whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work." Microsoft then uses the data it collects to outright block users from choosing a commonly used password or one that is similar.

This precaution is already active on Microsoft user accounts and is currently in private beta for enterprise customers in Azure AD.
In the coming months, Microsoft plans to enable the feature across all of its 10 million-plus Azure AD tenants, added Weinert.While it's a seemingly consumer-friendly step to take, James Romer, chief security architect at SecureAuth, said that the move by Microsoft hints at an overreliance on username-password combinations for keeping its user data out of the hands of hackers."Microsoft reacting like this is the easiest way for them to at least mitigate the risk caused by this password reuse.
It buys them some time and reduces embarrassment should they also be breached," he wrote in an email sent to eWEEK. "It is an admission that a problem exists within their environment where usernames and passwords are the sole protection points."Passwords fall short in preventing modern-day cyber-attacks, argued Romer. "Relying on passwords in today's complex landscape is not solving a problem or preventing the inevitable.

The point of attack still remains the same and therefore the underlying vulnerability remains."
The company's "dynamically banned" codes are based on the current attack list. As long as we use alphanumeric passwords, people will always try to safeguard personal data with codes like "123456" or "password." But Microsoft is taking a stance against stupid passcodes by banning those it deems weak. Gathering data from 10 million-plus daily account attacks, Redmond maintains a regularly updated list of taboo passwords—"dynamically banned" codes that the company prevents customers from using.
In place of the usual sliding scale of "weak" to "strong," a new program forces users to "choose a password that's harder for people to guess." "The most important thing to keep in mind when selecting a password is to choose one that is unique, and therefore hard to guess," Alex Weinert, group program manager of the Azure AD Identity Protection team, wrote in a blog post. That means avoid terms like "qwerty," "welcome," "login," "football," "baseball," and "monkey." Unless you're not particularly attached to banking, medical, and other intimate personal details. Redmond is already banning these passwords on Microsoft Accounts; it's in preview in Azure Active Directory (AD) and will roll out to all 10 million Azure AD users over the coming months. The company's smart password lockout system, which locks people out after too many incorrect password guesses, will remain in place.